Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
order SL2024-01.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
order SL2024-01.exe
Resource
win10v2004-20240508-en
General
-
Target
order SL2024-01.exe
-
Size
1.2MB
-
MD5
827d17ea8908eee608affcbf9a41a4a8
-
SHA1
082df822af7674e9851f707a11eb948d9dd3107b
-
SHA256
12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
-
SHA512
71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e
-
SSDEEP
24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaoXBKqF3Qb11YDO1Qo95:Dh+ZkldoPK8YaokqFWoDn6
Malware Config
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Drops startup file 1 IoCs
Processes:
file5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file5.vbs file5.exe -
Executes dropped EXE 3 IoCs
Processes:
file5.exefile5.exefile5.exepid process 4820 file5.exe 2328 file5.exe 2448 file5.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" svchost.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\directory\file5.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file5.exedescription pid process target process PID 2448 set thread context of 1564 2448 file5.exe svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE svchost.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE svchost.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE svchost.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\svchost.com svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" svchost.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
file5.exefile5.exefile5.exepid process 4820 file5.exe 2328 file5.exe 2448 file5.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
order SL2024-01.exefile5.exefile5.exefile5.exepid process 4724 order SL2024-01.exe 4724 order SL2024-01.exe 4820 file5.exe 4820 file5.exe 2328 file5.exe 2328 file5.exe 2448 file5.exe 2448 file5.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
order SL2024-01.exefile5.exefile5.exefile5.exepid process 4724 order SL2024-01.exe 4724 order SL2024-01.exe 4820 file5.exe 4820 file5.exe 2328 file5.exe 2328 file5.exe 2448 file5.exe 2448 file5.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
order SL2024-01.exefile5.exefile5.exefile5.exedescription pid process target process PID 4724 wrote to memory of 4820 4724 order SL2024-01.exe file5.exe PID 4724 wrote to memory of 4820 4724 order SL2024-01.exe file5.exe PID 4724 wrote to memory of 4820 4724 order SL2024-01.exe file5.exe PID 4820 wrote to memory of 4956 4820 file5.exe svchost.exe PID 4820 wrote to memory of 4956 4820 file5.exe svchost.exe PID 4820 wrote to memory of 4956 4820 file5.exe svchost.exe PID 4820 wrote to memory of 2328 4820 file5.exe file5.exe PID 4820 wrote to memory of 2328 4820 file5.exe file5.exe PID 4820 wrote to memory of 2328 4820 file5.exe file5.exe PID 2328 wrote to memory of 1792 2328 file5.exe svchost.exe PID 2328 wrote to memory of 1792 2328 file5.exe svchost.exe PID 2328 wrote to memory of 1792 2328 file5.exe svchost.exe PID 2328 wrote to memory of 2448 2328 file5.exe file5.exe PID 2328 wrote to memory of 2448 2328 file5.exe file5.exe PID 2328 wrote to memory of 2448 2328 file5.exe file5.exe PID 2448 wrote to memory of 1564 2448 file5.exe svchost.exe PID 2448 wrote to memory of 1564 2448 file5.exe svchost.exe PID 2448 wrote to memory of 1564 2448 file5.exe svchost.exe PID 2448 wrote to memory of 1564 2448 file5.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\file5.exe"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"3⤵
-
C:\Users\Admin\AppData\Local\directory\file5.exe"C:\Users\Admin\AppData\Local\directory\file5.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\directory\file5.exe"4⤵
-
C:\Users\Admin\AppData\Local\directory\file5.exe"C:\Users\Admin\AppData\Local\directory\file5.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\directory\file5.exe"5⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeFilesize
2.4MB
MD5fda6ad2775db2a19f8cbed4f348143c3
SHA12ba0dce08231f16a110665eaaac88f76e009f6e4
SHA256ac5322711d79824bb5be0dce1b7bcc431efbb4c538fbcefe57d04867270e0cb7
SHA512161ee40921ff3e347ab4b43d3858495ebdd8188e5b9f08bb76d52e8799c1a14c16ecb0fdb3019034e334e68a3d1337122a3a10c4d00382adc4ce92a3c7303be9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exeFilesize
40KB
MD502d5934d708008ecdbced2f8c1491727
SHA121f7ab77b928386ace6ac3366ae017b0ac73ad3a
SHA256f8898de9a8d6d10f61e1075471f4dbf21e52b5e71969d10675359fa7bfcbfd00
SHA512252b8652695b60222d1165eda50440893f1a5c5e59a6d2e607de80405fb1d083da3421a0b3d27f3dfb20e298253d0f04ae87d6c092270ac4f23056c33f6523a5
-
C:\Users\Admin\AppData\Local\Temp\aut45D3.tmpFilesize
305KB
MD55a82d2ba2918d9b69b8d2e33453508db
SHA110630a647881d8afbcab3792b75fc8b9ad5951dc
SHA256c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45
SHA51286113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258
-
C:\Users\Admin\AppData\Local\Temp\aut4B62.tmpFilesize
9KB
MD58bd1753cdaeedb7ae8d8f542b6228734
SHA166aa541fa71b9257c798312a721235d45fd856ad
SHA25698d60eabac5d06c99b4bd26abf0e5f6923732879e2da20648dbc6b50d63b047c
SHA512ed8e99fbe66b98e0e4dca83149239092054e13dc7b47e2ffac429a723052b81509f3901d56b7a36529e8308cdba9d0f943a3fa9cf089de1537d249549fd1c8db
-
C:\Users\Admin\AppData\Local\Temp\doneFilesize
28KB
MD5764c56ef5805ba4e1b8a20f7c7515762
SHA143d20748615fdcbc5dc2781c7ec39aa05d93dd66
SHA256154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae
SHA5129f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa
-
C:\Users\Admin\AppData\Local\Temp\pyogenesisMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\directory\file5.exeFilesize
1.2MB
MD5827d17ea8908eee608affcbf9a41a4a8
SHA1082df822af7674e9851f707a11eb948d9dd3107b
SHA25612afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
SHA51271d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e
-
memory/1564-62-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1564-63-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4724-12-0x0000000000DB0000-0x0000000000DB4000-memory.dmpFilesize
16KB