Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
image001.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
image001.exe
Resource
win10v2004-20240709-en
General
-
Target
image001.exe
-
Size
756KB
-
MD5
31c87737ea27257492b80ffe38db4a02
-
SHA1
202620c58aee7e3d873f344196fa43c5ad863baf
-
SHA256
16ecf712d513d305e40994ad4cdc51cc5b9be0f5f7067c543f00875973bc0a31
-
SHA512
f50ee3c56f7f498fb54c501201bda1640bb7b9e7476dc896b2c19a7706b0f132bae808b4a312c0c401a1b8e58058b7255cc2ed9026b19a7a561f3168d85dbec9
-
SSDEEP
12288:PfyfpWOhx8kPn3HLK1ADGl8qWp5YXaZG5EpKXoz9E6IgybM6LIrGH0Tl2TAXjUva:PfyjiGuASGqM5YXH5U9bITbj8LTUTijU
Malware Config
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2688 powershell.exe 1864 powershell.exe -
Loads dropped DLL 1 IoCs
Processes:
image001.exepid process 2856 image001.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
image001.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" image001.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
image001.exedescription pid process target process PID 332 set thread context of 2856 332 image001.exe image001.exe -
Drops file in Program Files directory 64 IoCs
Processes:
image001.exedescription ioc process File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe image001.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe image001.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE image001.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe image001.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE image001.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE image001.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe image001.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE image001.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE image001.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe image001.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe image001.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE image001.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe image001.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE image001.exe -
Drops file in Windows directory 1 IoCs
Processes:
image001.exedescription ioc process File opened for modification C:\Windows\svchost.com image001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
image001.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" image001.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
image001.exepowershell.exepowershell.exepid process 332 image001.exe 332 image001.exe 332 image001.exe 332 image001.exe 332 image001.exe 1864 powershell.exe 2688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
image001.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 332 image001.exe Token: SeDebugPrivilege 1864 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
image001.exedescription pid process target process PID 332 wrote to memory of 1864 332 image001.exe powershell.exe PID 332 wrote to memory of 1864 332 image001.exe powershell.exe PID 332 wrote to memory of 1864 332 image001.exe powershell.exe PID 332 wrote to memory of 1864 332 image001.exe powershell.exe PID 332 wrote to memory of 2688 332 image001.exe powershell.exe PID 332 wrote to memory of 2688 332 image001.exe powershell.exe PID 332 wrote to memory of 2688 332 image001.exe powershell.exe PID 332 wrote to memory of 2688 332 image001.exe powershell.exe PID 332 wrote to memory of 2812 332 image001.exe schtasks.exe PID 332 wrote to memory of 2812 332 image001.exe schtasks.exe PID 332 wrote to memory of 2812 332 image001.exe schtasks.exe PID 332 wrote to memory of 2812 332 image001.exe schtasks.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe PID 332 wrote to memory of 2856 332 image001.exe image001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\image001.exe"C:\Users\Admin\AppData\Local\Temp\image001.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\image001.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qwyxUYwZbCeXJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qwyxUYwZbCeXJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2118.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\image001.exe"C:\Users\Admin\AppData\Local\Temp\image001.exe"2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58a2b4ca554468c17f28317c37e1b99a1
SHA1c3cccab7c7489fa0527717df9d1b3c20ac992a49
SHA2561f5bdc306c4016789e9ec51db53ec4ae9f068f4f2f99f2e72fcf705306fd2dfc
SHA5123249f5876fd3daa0737f2f2c284b8fc8139d9e46cb46e1d7e6b9f89f613eb75bdce4fd075467e432befd12c48ad66d3bfbc89b7e1ec43c2faa7d93cccb961df1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD58f9ca853e4480259bd938f9a097a2cfc
SHA16157af149eee4c33d2ae13183d396f393a440b9e
SHA256a3251514f4bd29e70e25720738d5a5a0756b253d567215c49fad225af08077b3
SHA512ba1a411a9830b9212686be88075525caa684ffb21d7178c0c0d68f2766905ff8f65f9bb7c1852d8fe748af753f76ff2fcb35d0df2ce26e123c0b206ac7a299b3
-
Filesize
756KB
MD531c87737ea27257492b80ffe38db4a02
SHA1202620c58aee7e3d873f344196fa43c5ad863baf
SHA25616ecf712d513d305e40994ad4cdc51cc5b9be0f5f7067c543f00875973bc0a31
SHA512f50ee3c56f7f498fb54c501201bda1640bb7b9e7476dc896b2c19a7706b0f132bae808b4a312c0c401a1b8e58058b7255cc2ed9026b19a7a561f3168d85dbec9
-
Filesize
40KB
MD5a84134e51db793d68b3b1a8718eb3b32
SHA10ff8ae348f19210799b74168610771d019e6ac26
SHA25688a5de78b70d1164451d38d1415bbba1e374ffca345c089701e6a750212960f6
SHA51249bb49e190f435708fb2cc8461eace217d883a202a157f812b4277afb582a47db9944abaf7313d909958bfa0b40ee57fbacb844327eeab46ba0b5b4d37b15ec8
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156