Analysis
-
max time kernel
137s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
image001.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
image001.exe
Resource
win10v2004-20240709-en
General
-
Target
image001.exe
-
Size
756KB
-
MD5
31c87737ea27257492b80ffe38db4a02
-
SHA1
202620c58aee7e3d873f344196fa43c5ad863baf
-
SHA256
16ecf712d513d305e40994ad4cdc51cc5b9be0f5f7067c543f00875973bc0a31
-
SHA512
f50ee3c56f7f498fb54c501201bda1640bb7b9e7476dc896b2c19a7706b0f132bae808b4a312c0c401a1b8e58058b7255cc2ed9026b19a7a561f3168d85dbec9
-
SSDEEP
12288:PfyfpWOhx8kPn3HLK1ADGl8qWp5YXaZG5EpKXoz9E6IgybM6LIrGH0Tl2TAXjUva:PfyjiGuASGqM5YXH5U9bITbj8LTUTijU
Malware Config
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1204 powershell.exe 2536 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
image001.exeimage001.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation image001.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation image001.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
image001.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" image001.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
image001.exedescription pid process target process PID 4816 set thread context of 4352 4816 image001.exe image001.exe -
Drops file in Program Files directory 64 IoCs
Processes:
image001.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE image001.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe image001.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe image001.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe image001.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe image001.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE image001.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe image001.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe image001.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE image001.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe image001.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe image001.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE image001.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE image001.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE image001.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE image001.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe image001.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE image001.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE image001.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE image001.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE image001.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe image001.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE image001.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE image001.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE image001.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe image001.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe image001.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE image001.exe -
Drops file in Windows directory 1 IoCs
Processes:
image001.exedescription ioc process File opened for modification C:\Windows\svchost.com image001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
image001.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" image001.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
image001.exepowershell.exepowershell.exepid process 4816 image001.exe 4816 image001.exe 4816 image001.exe 4816 image001.exe 1204 powershell.exe 1204 powershell.exe 2536 powershell.exe 2536 powershell.exe 4816 image001.exe 4816 image001.exe 4816 image001.exe 4816 image001.exe 1204 powershell.exe 2536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
image001.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4816 image001.exe Token: SeDebugPrivilege 1204 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
image001.exedescription pid process target process PID 4816 wrote to memory of 1204 4816 image001.exe powershell.exe PID 4816 wrote to memory of 1204 4816 image001.exe powershell.exe PID 4816 wrote to memory of 1204 4816 image001.exe powershell.exe PID 4816 wrote to memory of 2536 4816 image001.exe powershell.exe PID 4816 wrote to memory of 2536 4816 image001.exe powershell.exe PID 4816 wrote to memory of 2536 4816 image001.exe powershell.exe PID 4816 wrote to memory of 64 4816 image001.exe schtasks.exe PID 4816 wrote to memory of 64 4816 image001.exe schtasks.exe PID 4816 wrote to memory of 64 4816 image001.exe schtasks.exe PID 4816 wrote to memory of 1132 4816 image001.exe image001.exe PID 4816 wrote to memory of 1132 4816 image001.exe image001.exe PID 4816 wrote to memory of 1132 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe PID 4816 wrote to memory of 4352 4816 image001.exe image001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\image001.exe"C:\Users\Admin\AppData\Local\Temp\image001.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\image001.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qwyxUYwZbCeXJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qwyxUYwZbCeXJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2EB.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:64
-
-
C:\Users\Admin\AppData\Local\Temp\image001.exe"C:\Users\Admin\AppData\Local\Temp\image001.exe"2⤵PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\image001.exe"C:\Users\Admin\AppData\Local\Temp\image001.exe"2⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4352
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5848d89ad9c658f8b2d26d53fdb2a132b
SHA1438b8c0eca827d07cc11dc990f7c9344a2fe4943
SHA256c32d7d1d2ccb84a9a9a6db165b9ac0447d9cfbd2d55e8a25f6fa52462e44683b
SHA512f96d7f45a4805bb4adc3636da7ed71647641d73dc9eaaa359a35ef23f535a87b0d511666a012c6ff59ff40457ceb408a931e80bcedcb84ab3991fcc9720ffd2f
-
Filesize
716KB
MD5eab1cbc9e7da6d32d557dfc901918f72
SHA1c8c710ccda27bbf5f82b36aa387c1c8a9f14b5d2
SHA2569343e70417d6d5d6db49c9fa263337c953183ec07f3ee524a43e6d3976cf5dd3
SHA512aca29afd5a5fb66aa9d4facd5d4bd6fe5b20ae2ac6987fc998ae28407cb6f2983071a1ba0d831baaa72c5a0df0a319065bd08f6c71e3baa993f183f5edd9ceb2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD53b0ca8262bd10ceb95a5c6e3607e6df5
SHA107987d58f031301353a3a0d40709aa42f32dabf9
SHA2568913eedeae091e8951416759ca6ac52f3496be0afa95012a42e0fc69e3cbc4d0
SHA512a81944d1db5e7a7549b13cb945eb1c6952f16d5a4919c214adc2098e73f7bc75571a9c01c753bd3b41dd5c51996425115ba9a7f90f3b01b11fd1ffd27f2ca8ba
-
Filesize
756KB
MD531c87737ea27257492b80ffe38db4a02
SHA1202620c58aee7e3d873f344196fa43c5ad863baf
SHA25616ecf712d513d305e40994ad4cdc51cc5b9be0f5f7067c543f00875973bc0a31
SHA512f50ee3c56f7f498fb54c501201bda1640bb7b9e7476dc896b2c19a7706b0f132bae808b4a312c0c401a1b8e58058b7255cc2ed9026b19a7a561f3168d85dbec9
-
Filesize
40KB
MD5a84134e51db793d68b3b1a8718eb3b32
SHA10ff8ae348f19210799b74168610771d019e6ac26
SHA25688a5de78b70d1164451d38d1415bbba1e374ffca345c089701e6a750212960f6
SHA51249bb49e190f435708fb2cc8461eace217d883a202a157f812b4277afb582a47db9944abaf7313d909958bfa0b40ee57fbacb844327eeab46ba0b5b4d37b15ec8