Analysis
-
max time kernel
105s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 09:13
Behavioral task
behavioral1
Sample
8efc69c0f33ebc8c593f2b25b58fe7f0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8efc69c0f33ebc8c593f2b25b58fe7f0N.exe
Resource
win10v2004-20240709-en
General
-
Target
8efc69c0f33ebc8c593f2b25b58fe7f0N.exe
-
Size
2.6MB
-
MD5
8efc69c0f33ebc8c593f2b25b58fe7f0
-
SHA1
3dd0e1bde5eee9597bb42c0606335d06678c345a
-
SHA256
70dd0d017d11717853d171de483e0911154df71323964809ef6671517f3daec7
-
SHA512
64c63563264262acecb00d2c50c6b81a81d088b91d0f16e48a844eace6c149c8ea3ced9c83c0534c9181a911623dd54716fadff44cb1498d5c0e565b10a4a241
-
SSDEEP
49152:ynDZE0BIUpIxiaq1hyu8oBS6VPA1JGH/qdfWQsgJcWGs4iWCMv:uDT7IZq7P8oFPSaCWgGshU
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta behavioral2/memory/3344-113-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3344-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3344-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Executes dropped EXE 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exepid process 536 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Loads dropped DLL 3 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exepid process 536 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 536 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 536 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Drops file in Windows directory 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process File opened for modification C:\Windows\svchost.com 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8efc69c0f33ebc8c593f2b25b58fe7f0N.exedescription pid process target process PID 3344 wrote to memory of 536 3344 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe PID 3344 wrote to memory of 536 3344 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe PID 3344 wrote to memory of 536 3344 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe 8efc69c0f33ebc8c593f2b25b58fe7f0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe"C:\Users\Admin\AppData\Local\Temp\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\3582-490\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\8efc69c0f33ebc8c593f2b25b58fe7f0N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
2.5MB
MD5a164d8f7d1fa1979f636a4453b9abadc
SHA14a7cd811c13aebe0d87702c31bb72e739110d5a0
SHA25603e5236505b1b6f64e96473636bd63e3b3ef6c18d9b3067bb77233eb27985e35
SHA51222e1d499593211f6903ad04f22dc9ad3088bda8fdd551f904fb4aa08f87117c2124102f65b5872cb8dcef883d9f29dd61629b57cc4fca922736b5813dc8d36ef
-
Filesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
Filesize
9KB
MD5ab73c0c2a23f913eabdc4cb24b75cbad
SHA16569d2863d54c88dcf57c843fc310f6d9571a41e
SHA2563d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457
SHA51299d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8