Analysis
-
max time kernel
41s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 11:10
Static task
static1
Behavioral task
behavioral1
Sample
fb76a5b722405efc72c9965d527a8fd0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fb76a5b722405efc72c9965d527a8fd0N.exe
Resource
win10v2004-20240802-en
General
-
Target
fb76a5b722405efc72c9965d527a8fd0N.exe
-
Size
1.6MB
-
MD5
fb76a5b722405efc72c9965d527a8fd0
-
SHA1
4d23317bc62b3c0776bcb207fb29908ae5096e14
-
SHA256
494b5c21d28798235ef25e80961ebd37021d609121a9b09b0c137bbfd9cd4812
-
SHA512
90ba2ca6e9bf968e1e534397661b550dfbe68049e1a3ccf666338abb0915fc45ccd1b12b0fe81f0d16106e8b6081977a8d2e55f1005053e04844c05939167f6c
-
SSDEEP
24576:yNsE09kEyTClJQ56C17Gf/VtsFVAVXCkaqtZpy:y2EKkEyTCDQwI7GHLsX8VZQ
Malware Config
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
pid Process 2140 fb76a5b722405efc72c9965d527a8fd0N.exe -
Loads dropped DLL 2 IoCs
pid Process 3000 fb76a5b722405efc72c9965d527a8fd0N.exe 3000 fb76a5b722405efc72c9965d527a8fd0N.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" fb76a5b722405efc72c9965d527a8fd0N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE fb76a5b722405efc72c9965d527a8fd0N.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe fb76a5b722405efc72c9965d527a8fd0N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com fb76a5b722405efc72c9965d527a8fd0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb76a5b722405efc72c9965d527a8fd0N.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" fb76a5b722405efc72c9965d527a8fd0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2140 3000 fb76a5b722405efc72c9965d527a8fd0N.exe 30 PID 3000 wrote to memory of 2140 3000 fb76a5b722405efc72c9965d527a8fd0N.exe 30 PID 3000 wrote to memory of 2140 3000 fb76a5b722405efc72c9965d527a8fd0N.exe 30 PID 3000 wrote to memory of 2140 3000 fb76a5b722405efc72c9965d527a8fd0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb76a5b722405efc72c9965d527a8fd0N.exe"C:\Users\Admin\AppData\Local\Temp\fb76a5b722405efc72c9965d527a8fd0N.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\3582-490\fb76a5b722405efc72c9965d527a8fd0N.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\fb76a5b722405efc72c9965d527a8fd0N.exe"2⤵
- Executes dropped EXE
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
859KB
MD5754309b7b83050a50768236ee966224f
SHA110ed7efc2e594417ddeb00a42deb8fd9f804ed53
SHA256acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6
SHA512e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
1.5MB
MD5c1d680ca95873d5772a39b93d3a9ab15
SHA1f5352bb32a587f484211b43d0c023edb435d294f
SHA25667e6d8bb2c99c3f87c02189fc48427fe8e9aaff37de7a2c98ac4be2204916093
SHA512b9b53cdb30b9e7ed9bdc73e5d78c299287268bbcee34aeb0203584a3e95586ce349521bbb0eb940437050d7f05e353a359013873fcaf9af5ac44810def1edb01