Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 22:33
Behavioral task
behavioral1
Sample
1f0b9ca60d16e9702072a451cda8f010N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1f0b9ca60d16e9702072a451cda8f010N.exe
Resource
win10v2004-20240709-en
General
-
Target
1f0b9ca60d16e9702072a451cda8f010N.exe
-
Size
3.0MB
-
MD5
1f0b9ca60d16e9702072a451cda8f010
-
SHA1
6c2f8a9cd75b0867bd7e69d7972a3080d9cf6c1d
-
SHA256
8078c7293afd40870b4cf1bdd4edf8229a88c4ad467eaccff67fe21a2e1e7146
-
SHA512
18f7f85fe7d084a4fa700bc8874f070170dac87fd583aa5a59c6d9200fbc45fd5073a5085b39c92a2809afff426c76f36041e6d17170c4590133c13e7c85aff1
-
SSDEEP
49152:bwi8hXaMLmdGdZMvPspL0McbmAxTmxHfW7JBwPONm6AsU/w/Lg+/YkXJAVev:U3XxLKGdZMvELCmAMHeBwPXsU4/LgSYw
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta behavioral2/memory/2640-123-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2640-124-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2640-126-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DefaultPack.EXE1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation DefaultPack.EXE Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 1f0b9ca60d16e9702072a451cda8f010N.exe -
Executes dropped EXE 2 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exeDefaultPack.EXEpid process 2116 1f0b9ca60d16e9702072a451cda8f010N.exe 1244 DefaultPack.EXE -
Loads dropped DLL 1 IoCs
Processes:
DefaultPack.EXEpid process 1244 DefaultPack.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1f0b9ca60d16e9702072a451cda8f010N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1f0b9ca60d16e9702072a451cda8f010N.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 1f0b9ca60d16e9702072a451cda8f010N.exe -
Drops file in Windows directory 1 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process File opened for modification C:\Windows\svchost.com 1f0b9ca60d16e9702072a451cda8f010N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
DefaultPack.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\Main DefaultPack.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Secondary Start Pages = 680074007400700073003a002f002f007700770077002e006d0073006e002e0063006f006d002f003f00700063003d00550032003200300026006f006300690064003d00550032003200300044004800500026006f0073006d006b0074003d0065006e002d007500730000000000 DefaultPack.EXE -
Modifies registry class 1 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1f0b9ca60d16e9702072a451cda8f010N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DefaultPack.EXEpid process 1244 DefaultPack.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1f0b9ca60d16e9702072a451cda8f010N.exe1f0b9ca60d16e9702072a451cda8f010N.exedescription pid process target process PID 2640 wrote to memory of 2116 2640 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2640 wrote to memory of 2116 2640 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2640 wrote to memory of 2116 2640 1f0b9ca60d16e9702072a451cda8f010N.exe 1f0b9ca60d16e9702072a451cda8f010N.exe PID 2116 wrote to memory of 1244 2116 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE PID 2116 wrote to memory of 1244 2116 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE PID 2116 wrote to memory of 1244 2116 1f0b9ca60d16e9702072a451cda8f010N.exe DefaultPack.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f0b9ca60d16e9702072a451cda8f010N.exe"C:\Users\Admin\AppData\Local\Temp\1f0b9ca60d16e9702072a451cda8f010N.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\3582-490\1f0b9ca60d16e9702072a451cda8f010N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\1f0b9ca60d16e9702072a451cda8f010N.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DefaultPack.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DefaultPack.EXE silent=true3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1244
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
2.9MB
MD5d1c7057ab1cfe9f4ea14c903b3dd5d7c
SHA1275f777dc9d6796d45d863476b8b9cd3c4c3430f
SHA256307e35691e4d72cf5d611508fcc691baa2cfec8a0322148e9e8fc0632eb30651
SHA512ea43e2f1e7452f4043567c8e770c0b999004d52344d067740b964c21eca8c94e0961095b71474045cf4214625104ce8ed6dd4904e32cd61bf6357916fbddd5a2
-
Filesize
7.8MB
MD565573de8aa931a8fed606ceab8604b23
SHA1d774476735225af48a52ed0409d83d1819b9c483
SHA256b4f5ed49da8357485c3c5a7212210bee957079475a75393886d318a8be439b69
SHA5125337d7df614a5d455f9ddaa237b5b2940c6b6621cc4ed6b36c6f04c5d7893c665b619c0806e89d003e9f6a2ee5c6227dcc44cdc0c6bd14d655085ae861fc6250
-
Filesize
196KB
MD59c31d329349f9cec1879c37722cf919e
SHA1b6c6b34af5e58a0b114632bfe2f13f25ffff6dbe
SHA25646b6e56bf9b8fe328b5675669934d9350d0ea21287fe5608bebc5a97bad0aa1d
SHA5126241499181584f5fe657fb105620fc1ac52723abe3027e2cf85db319b846de4815fba3990399b62fd12c28014988f2ffd28ead603674d660650f6c6d426f7fe4
-
Filesize
2KB
MD516b9fa83fd6ce8b7b4f7a4e8b8477317
SHA17882352a510695b0238fb3f14a3791bfaca56f94
SHA2569226321f1ddf071261e59c3c0d6732fe3cb15c5bd6db6271983801f72b969f35
SHA512796d76dbfa601a2ca615260252065fd3b5c643955ae8fd67c0295c7129543a81703a392246393b0db647ba514ed2bf186a2b6717a28bbc5584696684aff1315c
-
Filesize
58KB
MD580e41408f6d641dc1c0f5353a0cc8125
SHA16d957ba632df5b06d49a901f2772df4301610a2a
SHA256b09537250201236472ccd3caff5c0c12a5fad262e1e951350e9e5ed2a81d9dde
SHA512857d4dc087c73f00d79bf70edfc67ddc0b15a86a4fff366d91e5ef6684af43eed7dcf8579f6b4fb35dedd090973e2bde1a82aae07642136b608eeb1d567e5c03