Analysis
-
max time kernel
104s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 09:13
Behavioral task
behavioral1
Sample
8efc69c0f33ebc8c593f2b25b58fe7f0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8efc69c0f33ebc8c593f2b25b58fe7f0N.exe
Resource
win10v2004-20240709-en
General
-
Target
8efc69c0f33ebc8c593f2b25b58fe7f0N.exe
-
Size
2.6MB
-
MD5
8efc69c0f33ebc8c593f2b25b58fe7f0
-
SHA1
3dd0e1bde5eee9597bb42c0606335d06678c345a
-
SHA256
70dd0d017d11717853d171de483e0911154df71323964809ef6671517f3daec7
-
SHA512
64c63563264262acecb00d2c50c6b81a81d088b91d0f16e48a844eace6c149c8ea3ced9c83c0534c9181a911623dd54716fadff44cb1498d5c0e565b10a4a241
-
SSDEEP
49152:ynDZE0BIUpIxiaq1hyu8oBS6VPA1JGH/qdfWQsgJcWGs4iWCMv:uDT7IZq7P8oFPSaCWgGshU
Malware Config
Signatures
-
Detect Neshta payload 6 IoCs
Processes:
resource yara_rule C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta behavioral1/memory/2440-103-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2440-104-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2440-105-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2440-106-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2440-108-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exepid process 1284 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Loads dropped DLL 7 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exe8efc69c0f33ebc8c593f2b25b58fe7f0N.exepid process 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 1284 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 1284 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 1284 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 1284 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 1284 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Drops file in Windows directory 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process File opened for modification C:\Windows\svchost.com 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\3582-490\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exepid process 1284 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription pid process target process PID 2440 wrote to memory of 1284 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe PID 2440 wrote to memory of 1284 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe PID 2440 wrote to memory of 1284 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe PID 2440 wrote to memory of 1284 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe PID 2440 wrote to memory of 1284 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe PID 2440 wrote to memory of 1284 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe PID 2440 wrote to memory of 1284 2440 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe"C:\Users\Admin\AppData\Local\Temp\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
2.5MB
MD5a164d8f7d1fa1979f636a4453b9abadc
SHA14a7cd811c13aebe0d87702c31bb72e739110d5a0
SHA25603e5236505b1b6f64e96473636bd63e3b3ef6c18d9b3067bb77233eb27985e35
SHA51222e1d499593211f6903ad04f22dc9ad3088bda8fdd551f904fb4aa08f87117c2124102f65b5872cb8dcef883d9f29dd61629b57cc4fca922736b5813dc8d36ef
-
Filesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
Filesize
9KB
MD5ab73c0c2a23f913eabdc4cb24b75cbad
SHA16569d2863d54c88dcf57c843fc310f6d9571a41e
SHA2563d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457
SHA51299d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8