Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 01:23

General

  • Target

    order SL2024-01.exe

  • Size

    1.2MB

  • MD5

    827d17ea8908eee608affcbf9a41a4a8

  • SHA1

    082df822af7674e9851f707a11eb948d9dd3107b

  • SHA256

    12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e

  • SHA512

    71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

  • SSDEEP

    24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaoXBKqF3Qb11YDO1Qo95:Dh+ZkldoPK8YaokqFWoDn6

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe
    "C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\directory\file5.exe
      "C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"
        3⤵
          PID:4956
        • C:\Users\Admin\AppData\Local\directory\file5.exe
          "C:\Users\Admin\AppData\Local\directory\file5.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Users\Admin\AppData\Local\directory\file5.exe"
            4⤵
              PID:1792
            • C:\Users\Admin\AppData\Local\directory\file5.exe
              "C:\Users\Admin\AppData\Local\directory\file5.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2448
              • C:\Windows\SysWOW64\svchost.exe
                "C:\Users\Admin\AppData\Local\directory\file5.exe"
                5⤵
                • Modifies system executable filetype association
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                PID:1564

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Privilege Escalation

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
        Filesize

        2.4MB

        MD5

        fda6ad2775db2a19f8cbed4f348143c3

        SHA1

        2ba0dce08231f16a110665eaaac88f76e009f6e4

        SHA256

        ac5322711d79824bb5be0dce1b7bcc431efbb4c538fbcefe57d04867270e0cb7

        SHA512

        161ee40921ff3e347ab4b43d3858495ebdd8188e5b9f08bb76d52e8799c1a14c16ecb0fdb3019034e334e68a3d1337122a3a10c4d00382adc4ce92a3c7303be9

      • C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
        Filesize

        40KB

        MD5

        02d5934d708008ecdbced2f8c1491727

        SHA1

        21f7ab77b928386ace6ac3366ae017b0ac73ad3a

        SHA256

        f8898de9a8d6d10f61e1075471f4dbf21e52b5e71969d10675359fa7bfcbfd00

        SHA512

        252b8652695b60222d1165eda50440893f1a5c5e59a6d2e607de80405fb1d083da3421a0b3d27f3dfb20e298253d0f04ae87d6c092270ac4f23056c33f6523a5

      • C:\Users\Admin\AppData\Local\Temp\aut45D3.tmp
        Filesize

        305KB

        MD5

        5a82d2ba2918d9b69b8d2e33453508db

        SHA1

        10630a647881d8afbcab3792b75fc8b9ad5951dc

        SHA256

        c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45

        SHA512

        86113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258

      • C:\Users\Admin\AppData\Local\Temp\aut4B62.tmp
        Filesize

        9KB

        MD5

        8bd1753cdaeedb7ae8d8f542b6228734

        SHA1

        66aa541fa71b9257c798312a721235d45fd856ad

        SHA256

        98d60eabac5d06c99b4bd26abf0e5f6923732879e2da20648dbc6b50d63b047c

        SHA512

        ed8e99fbe66b98e0e4dca83149239092054e13dc7b47e2ffac429a723052b81509f3901d56b7a36529e8308cdba9d0f943a3fa9cf089de1537d249549fd1c8db

      • C:\Users\Admin\AppData\Local\Temp\done
        Filesize

        28KB

        MD5

        764c56ef5805ba4e1b8a20f7c7515762

        SHA1

        43d20748615fdcbc5dc2781c7ec39aa05d93dd66

        SHA256

        154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae

        SHA512

        9f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa

      • C:\Users\Admin\AppData\Local\Temp\pyogenesis
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • C:\Users\Admin\AppData\Local\directory\file5.exe
        Filesize

        1.2MB

        MD5

        827d17ea8908eee608affcbf9a41a4a8

        SHA1

        082df822af7674e9851f707a11eb948d9dd3107b

        SHA256

        12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e

        SHA512

        71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

      • memory/1564-62-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

      • memory/1564-63-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

      • memory/4724-12-0x0000000000DB0000-0x0000000000DB4000-memory.dmp
        Filesize

        16KB