Analysis
-
max time kernel
112s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 10:23
Behavioral task
behavioral1
Sample
9bca97c41e2e273887171372b762a1e0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9bca97c41e2e273887171372b762a1e0N.exe
Resource
win10v2004-20240709-en
General
-
Target
9bca97c41e2e273887171372b762a1e0N.exe
-
Size
199KB
-
MD5
9bca97c41e2e273887171372b762a1e0
-
SHA1
1c742f0e2fb8d729d3d7e80d6b9a21c1f61b8944
-
SHA256
9817eaba67a45da3e5e87b38d5fc1f3c842bf6a0f90ddb9fce79fc77dd98c12a
-
SHA512
ed26c1faae25d1b707177eb548b5b5e640d83f998fcb26cefe6cb583b4b18e0c32928218d380a9c646adf145e5a7938007550024e6ed7911211230649eb2ef13
-
SSDEEP
6144:k9gF9UG8uTBmC7Igf3csFRR9egZIrRR9egZIr:BUG8uTQC7IgPFRR9VZIrRR9VZIr
Malware Config
Signatures
-
Detect Neshta payload 5 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta behavioral2/memory/1860-96-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1860-97-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1860-98-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1860-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9bca97c41e2e273887171372b762a1e0N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 9bca97c41e2e273887171372b762a1e0N.exe -
Executes dropped EXE 1 IoCs
Processes:
9bca97c41e2e273887171372b762a1e0N.exepid process 5044 9bca97c41e2e273887171372b762a1e0N.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
9bca97c41e2e273887171372b762a1e0N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 9bca97c41e2e273887171372b762a1e0N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
9bca97c41e2e273887171372b762a1e0N.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 9bca97c41e2e273887171372b762a1e0N.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE 9bca97c41e2e273887171372b762a1e0N.exe -
Drops file in Windows directory 1 IoCs
Processes:
9bca97c41e2e273887171372b762a1e0N.exedescription ioc process File opened for modification C:\Windows\svchost.com 9bca97c41e2e273887171372b762a1e0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
9bca97c41e2e273887171372b762a1e0N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 9bca97c41e2e273887171372b762a1e0N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9bca97c41e2e273887171372b762a1e0N.exedescription pid process target process PID 1860 wrote to memory of 5044 1860 9bca97c41e2e273887171372b762a1e0N.exe 9bca97c41e2e273887171372b762a1e0N.exe PID 1860 wrote to memory of 5044 1860 9bca97c41e2e273887171372b762a1e0N.exe 9bca97c41e2e273887171372b762a1e0N.exe PID 1860 wrote to memory of 5044 1860 9bca97c41e2e273887171372b762a1e0N.exe 9bca97c41e2e273887171372b762a1e0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bca97c41e2e273887171372b762a1e0N.exe"C:\Users\Admin\AppData\Local\Temp\9bca97c41e2e273887171372b762a1e0N.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\3582-490\9bca97c41e2e273887171372b762a1e0N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\9bca97c41e2e273887171372b762a1e0N.exe"2⤵
- Executes dropped EXE
PID:5044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
159KB
MD58c65508cc51677d81b87b11bfee60290
SHA18dce09f08e1c993ee484fc1f171958fc8220dfd3
SHA2561ca7c1bec22e2eb6154ba01863a685bec98e3e272581d305bb29511471e84eae
SHA512337dc96114d8ecb12ba5db96844b8202fb26f62531fcc614d025d606cf7ebe8b44ac59944080485e3b5c412838e0ffe6d0000a7e5e0bfa73df3be617e8fee6cf