Overview

overview

10

Static

static

10

09876523456789.exe

windows7_x64

10

09876523456789.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-09-2021 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09876523456789.exe

  • Size

    926KB

  • MD5

    b8cdebc24a5ab6241373ae3bcc7d3053

  • SHA1

    bb17815265e215c6de61489aca8019bb5ae473e0

  • SHA256

    5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2

  • SHA512

    b57809010853fce4520d4f0a144c5827f07e0105da22814480472d2d147006712867fcaead42e3aabaf88592344dad2ddca9771a5a616a105253cb5cd8b949e8

Score
10/10
neshtaxmrigevasionminerpersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta Payload 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
    evasion
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 8 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 55 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09876523456789.exe
    "C:\Users\Admin\AppData\Local\Temp\09876523456789.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:384
      • \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
        c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1196
        • \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
          c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
          4⤵
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1452
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1588
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1824
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2364
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2628
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3100
              • C:\Windows\SysWOW64\at.exe
                at 14:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                  PID:2268
                • C:\Windows\SysWOW64\at.exe
                  at 14:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  7⤵
                    PID:1076
                  • C:\Windows\SysWOW64\at.exe
                    at 14:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                    7⤵
                      PID:744

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
          MD5

          2fce217b06eab217e49e58ae373f8ddb

          SHA1

          3145657a134272e403320b87a2ef1df87ea9ab07

          SHA256

          dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91

          SHA512

          421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
          MD5

          2fce217b06eab217e49e58ae373f8ddb

          SHA1

          3145657a134272e403320b87a2ef1df87ea9ab07

          SHA256

          dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91

          SHA512

          421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe 
          MD5

          bcc7a93ad8bad83eb4caf6228bf8ae6b

          SHA1

          c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

          SHA256

          cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

          SHA512

          a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe 
          MD5

          bcc7a93ad8bad83eb4caf6228bf8ae6b

          SHA1

          c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

          SHA256

          cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

          SHA512

          a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

          Download Submit
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          MD5

          8329f0288b6df014a04153c750b678db

          SHA1

          5fb72256bbfdde0e47928e4d1712722b0ab64439

          SHA256

          13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

          SHA512

          8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

          Download Submit
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          MD5

          8329f0288b6df014a04153c750b678db

          SHA1

          5fb72256bbfdde0e47928e4d1712722b0ab64439

          SHA256

          13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

          SHA512

          8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

          Download Submit
        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          MD5

          af33249536c754b43049a302fe3e60cb

          SHA1

          76abb4b99083ff17f17a1489d6868d478c1f23fe

          SHA256

          5f753138175321ef3e56d70bff49f3241dec92b60dafd57018b353da1834a325

          SHA512

          e7ed88745627eac78a63f1be31f5c5cd1affa305dfe0cef59eadfe8438b33d7db9eb802e88e64349eeb1beaf3744bb9f6aa6098a2540857ef9367932f146f95b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          MD5

          a4ae9c0fbfd2f3126e6ae6ed242b73da

          SHA1

          89b37086be031529c5beaa6735674895fa7eff22

          SHA256

          83fa4f1b607036087650ed4a636863698333d1e6d9ad1d5d458513fd878cdb71

          SHA512

          7dcdbf56a9cce2f7e6529ab575de1d55ad44d9f5ead61fd6104eb0205c5ffe8c13c1544ed845def20ced11918d462017d3e960f90ff523135e02ef8acc51e310

          Download Submit
        • C:\Windows\System\explorer.exe
          MD5

          bfafaf212165dca65a697a347f060ad7

          SHA1

          25fadcd14b5dc3838df16a9f32d399de4dc8dc77

          SHA256

          b22f9eed08ff9133c60a0fcac183e1fe77a97530963022fbdd4980fcd9ec2181

          SHA512

          89ff9ce4bf064f9ff953f6c156aa1a6eb29a9cb9bceab8c6308edfe6ff1887eba43d5493e661ef1bc3f4bd70659f2f9d93f683f7613c72b3c4937b7d4a886ed1

          Download Submit
        • C:\Windows\System\spoolsv.exe
          MD5

          d74e7ef36c6ffafb1d661b322d9075d7

          SHA1

          2ef993bfbdce4c66238c4f902b7cca90e4721b9a

          SHA256

          e33326f2f35226bab104e24fbc0061c38ef2a38ecfe536cf87ffb5b7dd7c0853

          SHA512

          a2af9208c4784af24c3e3c73a6eb8066d546e478a7c6edd3c2a063666b5218466ca2f36f0eda2afdbce78f38912a9967b4b4351a8f14197eae53eac58e3cd41d

          Download Submit
        • C:\Windows\System\spoolsv.exe
          MD5

          d74e7ef36c6ffafb1d661b322d9075d7

          SHA1

          2ef993bfbdce4c66238c4f902b7cca90e4721b9a

          SHA256

          e33326f2f35226bab104e24fbc0061c38ef2a38ecfe536cf87ffb5b7dd7c0853

          SHA512

          a2af9208c4784af24c3e3c73a6eb8066d546e478a7c6edd3c2a063666b5218466ca2f36f0eda2afdbce78f38912a9967b4b4351a8f14197eae53eac58e3cd41d

          Download Submit
        • C:\Windows\System\svchost.exe
          MD5

          a3a47d771f8798d5b47591507fad37a0

          SHA1

          f89401b9d06696c62f785a9b6a7a402eb3fc2256

          SHA256

          02ee5051c84b4a3c1e4257af4acd195beb1e81790ca33f5c3fe1e31df00f1ddb

          SHA512

          9cee59e837e9886ca66d8335c76a87ad1a62bd899140d07dd1da52977286ad43954fe6046dd9a365d2ddb76354ae2623b6a4df720cbe197124100eaf1ade9ae3

          Download Submit
        • \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
          MD5

          bcc7a93ad8bad83eb4caf6228bf8ae6b

          SHA1

          c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

          SHA256

          cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

          SHA512

          a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

          Download Submit
        • \??\c:\windows\system\explorer.exe
          MD5

          bfafaf212165dca65a697a347f060ad7

          SHA1

          25fadcd14b5dc3838df16a9f32d399de4dc8dc77

          SHA256

          b22f9eed08ff9133c60a0fcac183e1fe77a97530963022fbdd4980fcd9ec2181

          SHA512

          89ff9ce4bf064f9ff953f6c156aa1a6eb29a9cb9bceab8c6308edfe6ff1887eba43d5493e661ef1bc3f4bd70659f2f9d93f683f7613c72b3c4937b7d4a886ed1

          Download Submit
        • \??\c:\windows\system\spoolsv.exe
          MD5

          d74e7ef36c6ffafb1d661b322d9075d7

          SHA1

          2ef993bfbdce4c66238c4f902b7cca90e4721b9a

          SHA256

          e33326f2f35226bab104e24fbc0061c38ef2a38ecfe536cf87ffb5b7dd7c0853

          SHA512

          a2af9208c4784af24c3e3c73a6eb8066d546e478a7c6edd3c2a063666b5218466ca2f36f0eda2afdbce78f38912a9967b4b4351a8f14197eae53eac58e3cd41d

          Download Submit
        • \??\c:\windows\system\svchost.exe
          MD5

          a3a47d771f8798d5b47591507fad37a0

          SHA1

          f89401b9d06696c62f785a9b6a7a402eb3fc2256

          SHA256

          02ee5051c84b4a3c1e4257af4acd195beb1e81790ca33f5c3fe1e31df00f1ddb

          SHA512

          9cee59e837e9886ca66d8335c76a87ad1a62bd899140d07dd1da52977286ad43954fe6046dd9a365d2ddb76354ae2623b6a4df720cbe197124100eaf1ade9ae3

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsd92C6.tmp\shbtviyozv.dll
          MD5

          b08548c50aeca632a4f589cf225be6e2

          SHA1

          102d9cb4a737eb6a0e130544f3aaf28603b199ac

          SHA256

          73d6764798d0afe045ef2dfd8c04d19fdaaa844ccd8beb8297025bca8bdb4cf0

          SHA512

          bb07aebac4284c457c99d36ccc1c1a8dcb8056c20ca5749f7bd20f9260cc974293ef0271fc6b311078569029c216f60fd470e0fc9adaef3a6a9b3c7b1f0ad94b

          Download Submit
        • memory/384-114-0x0000000000000000-mapping.dmp
          Download
        • memory/744-166-0x0000000000000000-mapping.dmp
          Download
        • memory/1076-165-0x0000000000000000-mapping.dmp
          Download
        • memory/1196-120-0x0000000000000000-mapping.dmp
          Download
        • memory/1452-136-0x0000000000400000-0x000000000048B000-memory.dmp
          Filesize

          556KB

          Download
        • memory/1452-137-0x00000000001E0000-0x00000000001E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1452-124-0x0000000000400000-0x000000000048B000-memory.dmp
          Filesize

          556KB

          Download
        • memory/1452-153-0x00000000001E2000-0x00000000001E4000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1452-152-0x00000000001E1000-0x00000000001E2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1452-154-0x00000000001E7000-0x00000000001E8000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1452-125-0x000000000040188B-mapping.dmp
          Download
        • memory/1452-163-0x00000000001E8000-0x00000000001E9000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1588-127-0x0000000000000000-mapping.dmp
          Download
        • memory/1824-133-0x0000000000000000-mapping.dmp
          Download
        • memory/2268-161-0x0000000000000000-mapping.dmp
          Download
        • memory/2364-141-0x0000000000000000-mapping.dmp
          Download
        • memory/2628-147-0x0000000000000000-mapping.dmp
          Download
        • memory/3100-156-0x0000000000000000-mapping.dmp
          Download