Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 22:33
Behavioral task
behavioral1
Sample
1f0b9ca60d16e9702072a451cda8f010N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1f0b9ca60d16e9702072a451cda8f010N.exe
Resource
win10v2004-20240709-en
General
-
Target
1f0b9ca60d16e9702072a451cda8f010N.exe
-
Size
3.0MB
-
MD5
1f0b9ca60d16e9702072a451cda8f010
-
SHA1
6c2f8a9cd75b0867bd7e69d7972a3080d9cf6c1d
-
SHA256
8078c7293afd40870b4cf1bdd4edf8229a88c4ad467eaccff67fe21a2e1e7146
-
SHA512
18f7f85fe7d084a4fa700bc8874f070170dac87fd583aa5a59c6d9200fbc45fd5073a5085b39c92a2809afff426c76f36041e6d17170c4590133c13e7c85aff1
-
SSDEEP
49152:bwi8hXaMLmdGdZMvPspL0McbmAxTmxHfW7JBwPONm6AsU/w/Lg+/YkXJAVev:U3XxLKGdZMvELCmAMHeBwPXsU4/LgSYw
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
Processes:
resource yara_rule C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta behavioral1/memory/2316-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2316-118-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DefaultPack.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation DefaultPack.EXE -
Executes dropped EXE 2 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exeDefaultPack.EXEpid process 2352 1f0b9ca60d16e9702072a451cda8f010N.exe 2076 DefaultPack.EXE -
Loads dropped DLL 6 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exe1f0b9ca60d16e9702072a451cda8f010N.exeDefaultPack.EXEpid process 2316 1f0b9ca60d16e9702072a451cda8f010N.exe 2352 1f0b9ca60d16e9702072a451cda8f010N.exe 2352 1f0b9ca60d16e9702072a451cda8f010N.exe 2076 DefaultPack.EXE 2076 DefaultPack.EXE 2316 1f0b9ca60d16e9702072a451cda8f010N.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1f0b9ca60d16e9702072a451cda8f010N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1f0b9ca60d16e9702072a451cda8f010N.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 1f0b9ca60d16e9702072a451cda8f010N.exe -
Drops file in Windows directory 1 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process File opened for modification C:\Windows\svchost.com 1f0b9ca60d16e9702072a451cda8f010N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
DefaultPack.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main DefaultPack.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
DefaultPack.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.msn.com/?pc=U220&ocid=U220DHP&osmkt=en-us" DefaultPack.EXE -
Modifies registry class 1 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1f0b9ca60d16e9702072a451cda8f010N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DefaultPack.EXEpid process 2076 DefaultPack.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exe1f0b9ca60d16e9702072a451cda8f010N.exedescription pid process target process PID 2316 wrote to memory of 2352 2316 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2316 wrote to memory of 2352 2316 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2316 wrote to memory of 2352 2316 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2316 wrote to memory of 2352 2316 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2316 wrote to memory of 2352 2316 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2316 wrote to memory of 2352 2316 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2316 wrote to memory of 2352 2316 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2352 wrote to memory of 2076 2352 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE PID 2352 wrote to memory of 2076 2352 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE PID 2352 wrote to memory of 2076 2352 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE PID 2352 wrote to memory of 2076 2352 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE PID 2352 wrote to memory of 2076 2352 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE PID 2352 wrote to memory of 2076 2352 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE PID 2352 wrote to memory of 2076 2352 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f0b9ca60d16e9702072a451cda8f010N.exe"C:\Users\Admin\AppData\Local\Temp\1f0b9ca60d16e9702072a451cda8f010N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\3582-490\1f0b9ca60d16e9702072a451cda8f010N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\1f0b9ca60d16e9702072a451cda8f010N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DefaultPack.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DefaultPack.EXE silent=true3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
196KB
MD59c31d329349f9cec1879c37722cf919e
SHA1b6c6b34af5e58a0b114632bfe2f13f25ffff6dbe
SHA25646b6e56bf9b8fe328b5675669934d9350d0ea21287fe5608bebc5a97bad0aa1d
SHA5126241499181584f5fe657fb105620fc1ac52723abe3027e2cf85db319b846de4815fba3990399b62fd12c28014988f2ffd28ead603674d660650f6c6d426f7fe4
-
Filesize
2KB
MD516b9fa83fd6ce8b7b4f7a4e8b8477317
SHA17882352a510695b0238fb3f14a3791bfaca56f94
SHA2569226321f1ddf071261e59c3c0d6732fe3cb15c5bd6db6271983801f72b969f35
SHA512796d76dbfa601a2ca615260252065fd3b5c643955ae8fd67c0295c7129543a81703a392246393b0db647ba514ed2bf186a2b6717a28bbc5584696684aff1315c
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
2.9MB
MD5d1c7057ab1cfe9f4ea14c903b3dd5d7c
SHA1275f777dc9d6796d45d863476b8b9cd3c4c3430f
SHA256307e35691e4d72cf5d611508fcc691baa2cfec8a0322148e9e8fc0632eb30651
SHA512ea43e2f1e7452f4043567c8e770c0b999004d52344d067740b964c21eca8c94e0961095b71474045cf4214625104ce8ed6dd4904e32cd61bf6357916fbddd5a2
-
Filesize
7.8MB
MD565573de8aa931a8fed606ceab8604b23
SHA1d774476735225af48a52ed0409d83d1819b9c483
SHA256b4f5ed49da8357485c3c5a7212210bee957079475a75393886d318a8be439b69
SHA5125337d7df614a5d455f9ddaa237b5b2940c6b6621cc4ed6b36c6f04c5d7893c665b619c0806e89d003e9f6a2ee5c6227dcc44cdc0c6bd14d655085ae861fc6250
-
Filesize
58KB
MD580e41408f6d641dc1c0f5353a0cc8125
SHA16d957ba632df5b06d49a901f2772df4301610a2a
SHA256b09537250201236472ccd3caff5c0c12a5fad262e1e951350e9e5ed2a81d9dde
SHA512857d4dc087c73f00d79bf70edfc67ddc0b15a86a4fff366d91e5ef6684af43eed7dcf8579f6b4fb35dedd090973e2bde1a82aae07642136b608eeb1d567e5c03