Analysis Overview
SHA256
efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62
Threat Level: Known bad
The file efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe was found to be: Known bad.
Malicious Activity Summary
Neshta
Command and Scripting Interpreter: PowerShell
Modifies system executable filetype association
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:08
Reported
2024-06-14 02:10
Platform
win7-20240508-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Neshta
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1740 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe
"C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iDPbITQ.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDPbITQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp"
C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe
"C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe"
Network
Files
memory/1740-0-0x000000007434E000-0x000000007434F000-memory.dmp
memory/1740-1-0x0000000000BA0000-0x0000000000C62000-memory.dmp
memory/1740-2-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/1740-3-0x00000000009E0000-0x00000000009FA000-memory.dmp
memory/1740-4-0x00000000003E0000-0x00000000003F0000-memory.dmp
memory/1740-5-0x0000000007E20000-0x0000000007EB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp
| MD5 | d6a3d7bf911052e3044ef11bb125bf3d |
| SHA1 | 96f5e20af87135c8271d8d8e84598df3405368a5 |
| SHA256 | 180a4c64dc4f0f131472c04ba9c178d7a5c39e61d35c9d06401524b7486d4b41 |
| SHA512 | 3c4a50e155f68bea25d51636aedbf769ba77291325745c6563996d0111c8c2b6e7f4de5903ba2b2cd3897e0d799c03b8a797240fea6f973324c2c77229518c35 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | b3d959d5e0c0e24479a08c34a52b3617 |
| SHA1 | 7a257b52a311b0291e0eea429ec0256fe83dfbdf |
| SHA256 | c761e10cf1797e68c9a714f624d9b698035e59d60d6ee596a9df61e52a6f3b52 |
| SHA512 | e0eb247a0bfde9339cf9ff1d8888cfb3959630caf02f1fab426a3d2159861ea56245ec22bb43153e507b86e2ecea5bb5cdcb5f3809fb272ac1f06d56a662dcb4 |
memory/2780-18-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2780-22-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2780-20-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2780-34-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2780-33-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2780-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2780-30-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2780-28-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2780-26-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2780-24-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\svchost.com
| MD5 | 120deec408f0c0ce6794ba34e43620ad |
| SHA1 | 650bd9bfa5faa81de93869dc305c21a5b4379bfc |
| SHA256 | bba84f944e12bff91b1145c768cde81e677e422c05e9142011c97b6c381669c3 |
| SHA512 | ddf267842a37b3bbd5f1ab7e4159619e6dcc1ea566d69ecd25e08784784f58e9d0a1cc9aaf1318b56b0d0b5ccfe093bbe46752ba5cb9d542c309cd943cdf9e3f |
memory/1740-41-0x0000000074340000-0x0000000074A2E000-memory.dmp
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
C:\Users\Admin\AppData\Roaming\iDPbITQ.exe
| MD5 | 17d5cd7bbd3ad9311f90a3ad053fb4dc |
| SHA1 | 158d74e9fa5c678e9f2907de85ba9a89c45db8f6 |
| SHA256 | efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62 |
| SHA512 | a57470263f754cde985f836922de3dc1892a79a6b534eeb6dd05c1827b54537b2c5c413f41baeb2c51f1aa57ca83ab8ac777700116e811c6e55004e4f4bb52a9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:08
Reported
2024-06-14 02:10
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Neshta
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2176 set thread context of 4996 | N/A | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe
"C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iDPbITQ.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDPbITQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA76B.tmp"
C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe
"C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe"
C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe
"C:\Users\Admin\AppData\Local\Temp\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2176-0-0x000000007495E000-0x000000007495F000-memory.dmp
memory/2176-1-0x0000000000C90000-0x0000000000D52000-memory.dmp
memory/2176-2-0x0000000005CB0000-0x0000000006254000-memory.dmp
memory/2176-3-0x0000000005610000-0x00000000056A2000-memory.dmp
memory/2176-4-0x00000000056B0000-0x00000000056BA000-memory.dmp
memory/2176-5-0x0000000074950000-0x0000000075100000-memory.dmp
memory/2176-6-0x0000000005A90000-0x0000000005AAA000-memory.dmp
memory/2176-7-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/2176-8-0x0000000006C60000-0x0000000006CF4000-memory.dmp
memory/2176-9-0x000000000A9C0000-0x000000000AA5C000-memory.dmp
memory/1780-14-0x0000000002C50000-0x0000000002C86000-memory.dmp
memory/1780-16-0x0000000074950000-0x0000000075100000-memory.dmp
memory/1780-15-0x0000000005940000-0x0000000005F68000-memory.dmp
memory/1780-17-0x0000000074950000-0x0000000075100000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA76B.tmp
| MD5 | 42de53c1a106c6c3a0aae433650295e9 |
| SHA1 | 98995bf53cfcd1d1d54e5fa4e108dadaa3664db7 |
| SHA256 | bc43b640920b6b1bc371570ec5d3a5934d3f16279bac1e7f66eec7b1b86c0db8 |
| SHA512 | 78d8922a8e66ee74be20ee27d90479653187ee699a37ec91ec866e6e7a67e0282407651c675dfcc7db3f6084c79b52fd49ca5e6361fd096d41e0c4dbc9b7b5ad |
memory/876-20-0x0000000004AD0000-0x0000000004B36000-memory.dmp
memory/1780-22-0x0000000074950000-0x0000000075100000-memory.dmp
memory/876-21-0x0000000004B40000-0x0000000004BA6000-memory.dmp
memory/876-19-0x0000000004930000-0x0000000004952000-memory.dmp
memory/876-24-0x0000000074950000-0x0000000075100000-memory.dmp
memory/876-23-0x00000000053A0000-0x00000000056F4000-memory.dmp
memory/4996-43-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_noqvtyhf.3r5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4996-44-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2176-47-0x000000007495E000-0x000000007495F000-memory.dmp
memory/876-46-0x0000000074950000-0x0000000075100000-memory.dmp
memory/876-49-0x0000000074950000-0x0000000075100000-memory.dmp
memory/2176-50-0x0000000074950000-0x0000000075100000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62.exe
| MD5 | 7dd903aa9a8031898c3b31d33321a584 |
| SHA1 | 24e806b2c77d16be2ff268a6f44dacfb2ec0cbd7 |
| SHA256 | 304cbd818f9f3466fc9585b3697e43b4d3588ba818af0176ccd5dae00b7fba37 |
| SHA512 | 50f0d1eee5631d6ac5213082411c3612ba39130fa711fbe921c32c5108de332bab77fd40e8d1f66fac14f33a0e3b39e1d99381ff130cb2dbb40b9422840d2dc2 |
C:\Windows\svchost.com
| MD5 | 120deec408f0c0ce6794ba34e43620ad |
| SHA1 | 650bd9bfa5faa81de93869dc305c21a5b4379bfc |
| SHA256 | bba84f944e12bff91b1145c768cde81e677e422c05e9142011c97b6c381669c3 |
| SHA512 | ddf267842a37b3bbd5f1ab7e4159619e6dcc1ea566d69ecd25e08784784f58e9d0a1cc9aaf1318b56b0d0b5ccfe093bbe46752ba5cb9d542c309cd943cdf9e3f |
memory/876-62-0x0000000005AD0000-0x0000000005B1C000-memory.dmp
memory/876-59-0x0000000005A00000-0x0000000005A1E000-memory.dmp
memory/876-64-0x0000000070EB0000-0x0000000070EFC000-memory.dmp
memory/876-63-0x0000000005FD0000-0x0000000006002000-memory.dmp
memory/876-75-0x0000000006BD0000-0x0000000006C73000-memory.dmp
memory/876-74-0x0000000005FB0000-0x0000000005FCE000-memory.dmp
memory/876-76-0x0000000007370000-0x00000000079EA000-memory.dmp
memory/876-77-0x0000000006D20000-0x0000000006D3A000-memory.dmp
memory/1780-78-0x0000000070EB0000-0x0000000070EFC000-memory.dmp
memory/876-88-0x0000000006DA0000-0x0000000006DAA000-memory.dmp
memory/876-103-0x0000000006FA0000-0x0000000007036000-memory.dmp
memory/876-104-0x0000000006F20000-0x0000000006F31000-memory.dmp
memory/1780-126-0x0000000007AD0000-0x0000000007ADE000-memory.dmp
memory/1780-129-0x0000000007AE0000-0x0000000007AF4000-memory.dmp
memory/1780-137-0x0000000007BE0000-0x0000000007BFA000-memory.dmp
memory/1780-142-0x0000000007BC0000-0x0000000007BC8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/876-173-0x0000000074950000-0x0000000075100000-memory.dmp
memory/1780-172-0x0000000074950000-0x0000000075100000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | be7debc88c6999ca0d3f1ee4af4461d3 |
| SHA1 | 2e55eec94130c8718ad35c90fb82a83a13377143 |
| SHA256 | cc95c3512fcc67f1548c9155f4168f691a984d4c0a53e1182667c0bf5e5d864f |
| SHA512 | 41871b47b99834c2f8a24a4ab49585f3cac1710382f9cfac56f223589ea62d33d3012b505d6b23ff4f868cb18c7031bcb839520a94594a42097d19ae1874d3d9 |
C:\Users\Admin\AppData\Roaming\iDPbITQ.exe
| MD5 | 17d5cd7bbd3ad9311f90a3ad053fb4dc |
| SHA1 | 158d74e9fa5c678e9f2907de85ba9a89c45db8f6 |
| SHA256 | efc11f7b37fb2e8708e9299d4543c4e45963df369e408320b9d1d04aa5dbac62 |
| SHA512 | a57470263f754cde985f836922de3dc1892a79a6b534eeb6dd05c1827b54537b2c5c413f41baeb2c51f1aa57ca83ab8ac777700116e811c6e55004e4f4bb52a9 |