Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 01:04
Static task
static1
Behavioral task
behavioral1
Sample
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe
Resource
win10v2004-20240226-en
General
-
Target
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe
-
Size
1.2MB
-
MD5
827d17ea8908eee608affcbf9a41a4a8
-
SHA1
082df822af7674e9851f707a11eb948d9dd3107b
-
SHA256
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
-
SHA512
71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e
-
SSDEEP
24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaoXBKqF3Qb11YDO1Qo95:Dh+ZkldoPK8YaokqFWoDn6
Malware Config
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Drops startup file 1 IoCs
Processes:
file5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file5.vbs file5.exe -
Executes dropped EXE 1 IoCs
Processes:
file5.exepid process 2140 file5.exe -
Loads dropped DLL 3 IoCs
Processes:
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exesvchost.exepid process 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe 2560 svchost.exe 2560 svchost.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" svchost.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule \Users\Admin\AppData\Local\directory\file5.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file5.exedescription pid process target process PID 2140 set thread context of 2560 2140 file5.exe svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe svchost.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE svchost.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE svchost.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE svchost.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\svchost.com svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file5.exepid process 2140 file5.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exefile5.exepid process 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe 2140 file5.exe 2140 file5.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exefile5.exepid process 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe 2140 file5.exe 2140 file5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exefile5.exedescription pid process target process PID 1732 wrote to memory of 2140 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe file5.exe PID 1732 wrote to memory of 2140 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe file5.exe PID 1732 wrote to memory of 2140 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe file5.exe PID 1732 wrote to memory of 2140 1732 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe file5.exe PID 2140 wrote to memory of 2560 2140 file5.exe svchost.exe PID 2140 wrote to memory of 2560 2140 file5.exe svchost.exe PID 2140 wrote to memory of 2560 2140 file5.exe svchost.exe PID 2140 wrote to memory of 2560 2140 file5.exe svchost.exe PID 2140 wrote to memory of 2560 2140 file5.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\file5.exe"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"3⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD52420cf7c48cc0cd5b5503d2410a6981a
SHA1f963ac5873b3e70a24ce74499cb032e9ab68d454
SHA256e4dc2a8658c3f9788e183bffa523e2063d01daf335396bf3eff0bd3731eaeb42
SHA5128c527e3fa20dba59a958988b293f0358501efca9118b45b5a8ad505f8fdc466e83ca7aa81b473e3b382c3807386ba59a263f0237272dbd76c535f753b6501981
-
C:\Users\Admin\AppData\Local\Temp\doneFilesize
28KB
MD5764c56ef5805ba4e1b8a20f7c7515762
SHA143d20748615fdcbc5dc2781c7ec39aa05d93dd66
SHA256154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae
SHA5129f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa
-
C:\Users\Admin\AppData\Local\Temp\pyogenesisFilesize
305KB
MD55a82d2ba2918d9b69b8d2e33453508db
SHA110630a647881d8afbcab3792b75fc8b9ad5951dc
SHA256c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45
SHA51286113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\directory\file5.exeFilesize
1.2MB
MD5827d17ea8908eee608affcbf9a41a4a8
SHA1082df822af7674e9851f707a11eb948d9dd3107b
SHA25612afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
SHA51271d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e
-
memory/1732-11-0x0000000000750000-0x0000000000754000-memory.dmpFilesize
16KB
-
memory/2560-32-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2560-33-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2560-34-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2560-37-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2560-116-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB