Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 01:04

General

  • Target

    12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe

  • Size

    1.2MB

  • MD5

    827d17ea8908eee608affcbf9a41a4a8

  • SHA1

    082df822af7674e9851f707a11eb948d9dd3107b

  • SHA256

    12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e

  • SHA512

    71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

  • SSDEEP

    24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaoXBKqF3Qb11YDO1Qo95:Dh+ZkldoPK8YaokqFWoDn6

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe
    "C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\directory\file5.exe
      "C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"
        3⤵
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
    Filesize

    859KB

    MD5

    2420cf7c48cc0cd5b5503d2410a6981a

    SHA1

    f963ac5873b3e70a24ce74499cb032e9ab68d454

    SHA256

    e4dc2a8658c3f9788e183bffa523e2063d01daf335396bf3eff0bd3731eaeb42

    SHA512

    8c527e3fa20dba59a958988b293f0358501efca9118b45b5a8ad505f8fdc466e83ca7aa81b473e3b382c3807386ba59a263f0237272dbd76c535f753b6501981

  • C:\Users\Admin\AppData\Local\Temp\done
    Filesize

    28KB

    MD5

    764c56ef5805ba4e1b8a20f7c7515762

    SHA1

    43d20748615fdcbc5dc2781c7ec39aa05d93dd66

    SHA256

    154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae

    SHA512

    9f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa

  • C:\Users\Admin\AppData\Local\Temp\pyogenesis
    Filesize

    305KB

    MD5

    5a82d2ba2918d9b69b8d2e33453508db

    SHA1

    10630a647881d8afbcab3792b75fc8b9ad5951dc

    SHA256

    c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45

    SHA512

    86113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\directory\file5.exe
    Filesize

    1.2MB

    MD5

    827d17ea8908eee608affcbf9a41a4a8

    SHA1

    082df822af7674e9851f707a11eb948d9dd3107b

    SHA256

    12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e

    SHA512

    71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

  • memory/1732-11-0x0000000000750000-0x0000000000754000-memory.dmp
    Filesize

    16KB

  • memory/2560-32-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2560-33-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2560-34-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2560-37-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/2560-116-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB