Resubmissions
18-10-2024 17:25
241018-vzl1la1cqq 1018-10-2024 16:26
241018-txhdyswgqh 1018-10-2024 16:25
241018-tw78zsydrp 318-10-2024 16:22
241018-tvh8gawfqa 3Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
18-10-2024 17:25
General
-
Target
6812964531.exe
-
Size
67KB
-
MD5
7de65122a13ab9d81368ee3dff3cc80a
-
SHA1
ecbb4db641431d4d672e4b88e8d309419fd32f04
-
SHA256
a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123
-
SHA512
b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401
-
SSDEEP
1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj
Malware Config
Signatures
-
Detect Neshta payload 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
UAC bypass 3 TTPs 1 IoCs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
-
Executes dropped EXE 5 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6812964531.exe"C:\Users\Admin\AppData\Local\Temp\6812964531.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\6812964531.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\java.exejava -jar C:\Users\Admin\download_libra.jar3⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c wmic cpu get name5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe"C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe"5⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe"C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\windef_installer.exe"C:\Users\Admin\AppData\Local\Temp\windef_installer.exe"5⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\windef_installer.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\windef_installer.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"1⤵
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c wmic cpu get name2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exeC:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe explorer.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5ba5cd4b8f29768a15240c4ed4626b2da
SHA15ac8cf09005824a02396e6ce6bc1d5c44159d0c7
SHA2560419c456c0faac042de35afe05edd20c8f4fbebc800880afbf698eb0419bab28
SHA51282e56a738561f867f97136da3f323053c185fac01cec2b7c2ffdf6abbd6578d5a2603b9c8fad5723bc403a38b7e9f7761760e0ace616ad3e0494a8531d48bf2b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5.1MB
MD586a1cbee2b7dc5d64051c83c82c8d02b
SHA155d82d17f7f10d088909d0cb7116969d12308974
SHA256d3f47cd85c525a0c3ed855949bf27023c27b24c51d388166d72d4fa8cae4c2f5
SHA5126720ecb2799185bf2a03259766e3dd38aeaec674a3a28e657bd55131b1e9fb18fab118afc3aa7881de56d7af36d60bf8b29449065ba32c5cf0dea38fb892ecbb
-
Filesize
3.0MB
MD589adc93450933f84d40ba2d07de9f55d
SHA13bdbe9c88b36c79ff2f29839993d2622b894f2fd
SHA256ef10ef6ec96b3afa2b121edbf8cc45735e06842a26d48e55cc1fff42aa665087
SHA51249b0b71a2865081759890f9414216f3ab9a6b7579f3f0287157b8c89de8dd61da13a1f6ebaf19aa859bd60a373c0a00f036f6bf97357643235cdbada58204720
-
Filesize
2.5MB
MD58a7174b8fb3eafebd5b59dcea31a88fa
SHA17783ab6618807000e0ca219465e3774d2a643dad
SHA2569ab066c5398610d0c3a442e60bca5f7d6d89e645a8cfe8b6216a736af10fce33
SHA512c5814dc9e8e7c9d2668f0d2031e54b7d1657029c693c0bc0b0506fc7bc07be1091ddc1257f5bd02dc46c1ebeecb292752b7a45479a9cd5aac2c65e92a1e6427e
-
Filesize
5.2MB
MD5d5f38176aa233dc3a85f2c3e7c6cf1f7
SHA1022ea6d320067d2429b26cc424145610fa0ad28e
SHA256db307d31bbb3d282685bf28e0abf464a931fa749633d784e39adbe7d8d8ead31
SHA512f58f855e3a102b6ccb4197b38323149342c23c2182b6309074d5720c2b2f20d764c33b10013834e85f73e22c0b7ab95ec4171ff251523b598821ad632af5a893
-
Filesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
25.9MB
MD5df616fd81f8ee6e3a87e4a065c3cbfd6
SHA1434a2c9c17c41972daf12f31bd69fb6740fbb051
SHA2566011bacfd1df40248d92e7e71570f1bfc2288886fab7ff1102a8987a3b12829e
SHA5126105ce13d2f07540371a156ac967c3bb788fdb529aabc65114fe186ce523b3daaab658bce31ba9e00bd7151afdb99b20cbe023383c1baff78acac0a3c5c78c51
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB