Overview

overview

10

Static

static

10

09876523456789.exe

windows7_x64

10

09876523456789.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-09-2021 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09876523456789.exe

  • Size

    926KB

  • MD5

    b8cdebc24a5ab6241373ae3bcc7d3053

  • SHA1

    bb17815265e215c6de61489aca8019bb5ae473e0

  • SHA256

    5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2

  • SHA512

    b57809010853fce4520d4f0a144c5827f07e0105da22814480472d2d147006712867fcaead42e3aabaf88592344dad2ddca9771a5a616a105253cb5cd8b949e8

Score
10/10
neshtaxmrigevasionminerpersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta Payload 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
    evasion
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Executes dropped EXE 8 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 55 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09876523456789.exe
    "C:\Users\Admin\AppData\Local\Temp\09876523456789.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:384
      • \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
        c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1196
        • \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
          c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
          4⤵
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1452
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1588
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1940
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2364
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2628
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3000
              • C:\Windows\SysWOW64\at.exe
                at 15:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                  PID:2268
                • C:\Windows\SysWOW64\at.exe
                  at 15:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  7⤵
                    PID:1736
                  • C:\Windows\SysWOW64\at.exe
                    at 15:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                    7⤵
                      PID:3372

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
          MD5

          2fce217b06eab217e49e58ae373f8ddb

          SHA1

          3145657a134272e403320b87a2ef1df87ea9ab07

          SHA256

          dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91

          SHA512

          421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
          MD5

          2fce217b06eab217e49e58ae373f8ddb

          SHA1

          3145657a134272e403320b87a2ef1df87ea9ab07

          SHA256

          dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91

          SHA512

          421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe 
          MD5

          bcc7a93ad8bad83eb4caf6228bf8ae6b

          SHA1

          c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

          SHA256

          cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

          SHA512

          a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe 
          MD5

          bcc7a93ad8bad83eb4caf6228bf8ae6b

          SHA1

          c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

          SHA256

          cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

          SHA512

          a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

          Download Submit
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          MD5

          8329f0288b6df014a04153c750b678db

          SHA1

          5fb72256bbfdde0e47928e4d1712722b0ab64439

          SHA256

          13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

          SHA512

          8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

          Download Submit
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          MD5

          8329f0288b6df014a04153c750b678db

          SHA1

          5fb72256bbfdde0e47928e4d1712722b0ab64439

          SHA256

          13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

          SHA512

          8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

          Download Submit
        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          MD5

          ffbb305fda456a3dfb62e537573fae4d

          SHA1

          a9c26e23b88e7a67f0772158c086c5c6f52df387

          SHA256

          98ed49720df26993d2325236d9fad29d5f9c1434544e7e3622d3bd71bb9d3022

          SHA512

          e83e0f9cebdee87057d5b98162919a48c83f573854244c11394371c37baaccb01412f6a3b1e01db39eecd337d657f68437391dc688f423eb4cf7154756dc8883

          Download Submit
        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          MD5

          fc63716e6ad7f8b9f536b3b51508e82d

          SHA1

          1e35a11068d6f6bfdd1862b1f1bbb423b0b847d3

          SHA256

          3da976fb683deca790355d686b07a4346b407d69e3e00c2b447b95d9e6efaab9

          SHA512

          86bbdc573116716a5bea2cb54a1f4561c5665381f481037ed54693ec7218661cf23a1d2f041933e5736d1e16ad72167366b6b70ebf175eaf4c1a0f4f87217a37

          Download Submit
        • C:\Windows\System\explorer.exe
          MD5

          7c020dd2620c975acdd365e877d77266

          SHA1

          d8afb309a4887e586f962cfed54cc44aded9d196

          SHA256

          ef5591316c489e661130c5e3f183b5a8989edcc8840ac7d451d94ffac788e2b2

          SHA512

          442f348f6be8475c40438dbab2ee4361418a7169572334fde108c9d17b5b1615dc27c0d62a2d5ce66103e3abfa2781141766f41d7a533627143030ea2081af92

          Download Submit
        • C:\Windows\System\spoolsv.exe
          MD5

          3c144541340cb771a1951440a7ab6e82

          SHA1

          c22a58950aa584a1bb54d17379b8269159d2fc99

          SHA256

          1a97951e592a867cd8127d3e3585d61b36af0380d6e206e8bcb996329f2ccb36

          SHA512

          641036f841c4af9b4f1c522b13628a6fc4a9259adf246d6de0fd5b25b89c1b06783133a6a0201bd3027cf1250151fca4d0b8decf42bb57b66dadb3932c633f6a

          Download Submit
        • C:\Windows\System\spoolsv.exe
          MD5

          3c144541340cb771a1951440a7ab6e82

          SHA1

          c22a58950aa584a1bb54d17379b8269159d2fc99

          SHA256

          1a97951e592a867cd8127d3e3585d61b36af0380d6e206e8bcb996329f2ccb36

          SHA512

          641036f841c4af9b4f1c522b13628a6fc4a9259adf246d6de0fd5b25b89c1b06783133a6a0201bd3027cf1250151fca4d0b8decf42bb57b66dadb3932c633f6a

          Download Submit
        • C:\Windows\System\svchost.exe
          MD5

          6a210270b297c64cfc2c07cda81d413b

          SHA1

          331bbaffdcce0d62f8d66f088ebdcc38a02a351f

          SHA256

          d4f014de9e11e1d1b5cda4011105d82c2b60490c638a795da5a3b71767313947

          SHA512

          1880ab064f76b6bda4ba0319755e5c422f8bd14a7c4ae145d2dded626b43204e363336ba5e8305d37bb85d43d101e6a968f53642cd87e91d6c173933777b0df0

          Download Submit
        • \??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe 
          MD5

          bcc7a93ad8bad83eb4caf6228bf8ae6b

          SHA1

          c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

          SHA256

          cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

          SHA512

          a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

          Download Submit
        • \??\c:\windows\system\explorer.exe
          MD5

          7c020dd2620c975acdd365e877d77266

          SHA1

          d8afb309a4887e586f962cfed54cc44aded9d196

          SHA256

          ef5591316c489e661130c5e3f183b5a8989edcc8840ac7d451d94ffac788e2b2

          SHA512

          442f348f6be8475c40438dbab2ee4361418a7169572334fde108c9d17b5b1615dc27c0d62a2d5ce66103e3abfa2781141766f41d7a533627143030ea2081af92

          Download Submit
        • \??\c:\windows\system\spoolsv.exe
          MD5

          3c144541340cb771a1951440a7ab6e82

          SHA1

          c22a58950aa584a1bb54d17379b8269159d2fc99

          SHA256

          1a97951e592a867cd8127d3e3585d61b36af0380d6e206e8bcb996329f2ccb36

          SHA512

          641036f841c4af9b4f1c522b13628a6fc4a9259adf246d6de0fd5b25b89c1b06783133a6a0201bd3027cf1250151fca4d0b8decf42bb57b66dadb3932c633f6a

          Download Submit
        • \??\c:\windows\system\svchost.exe
          MD5

          6a210270b297c64cfc2c07cda81d413b

          SHA1

          331bbaffdcce0d62f8d66f088ebdcc38a02a351f

          SHA256

          d4f014de9e11e1d1b5cda4011105d82c2b60490c638a795da5a3b71767313947

          SHA512

          1880ab064f76b6bda4ba0319755e5c422f8bd14a7c4ae145d2dded626b43204e363336ba5e8305d37bb85d43d101e6a968f53642cd87e91d6c173933777b0df0

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsv8A0C.tmp\shbtviyozv.dll
          MD5

          b08548c50aeca632a4f589cf225be6e2

          SHA1

          102d9cb4a737eb6a0e130544f3aaf28603b199ac

          SHA256

          73d6764798d0afe045ef2dfd8c04d19fdaaa844ccd8beb8297025bca8bdb4cf0

          SHA512

          bb07aebac4284c457c99d36ccc1c1a8dcb8056c20ca5749f7bd20f9260cc974293ef0271fc6b311078569029c216f60fd470e0fc9adaef3a6a9b3c7b1f0ad94b

          Download Submit
        • memory/384-114-0x0000000000000000-mapping.dmp
          Download
        • memory/1196-120-0x0000000000000000-mapping.dmp
          Download
        • memory/1452-140-0x00000000001F0000-0x00000000001F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1452-163-0x00000000001F8000-0x00000000001F9000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1452-132-0x0000000000400000-0x000000000048B000-memory.dmp
          Filesize

          556KB

          Download
        • memory/1452-125-0x000000000040188B-mapping.dmp
          Download
        • memory/1452-158-0x00000000001F1000-0x00000000001F2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1452-124-0x0000000000400000-0x000000000048B000-memory.dmp
          Filesize

          556KB

          Download
        • memory/1452-160-0x00000000001F7000-0x00000000001F8000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1452-159-0x00000000001F2000-0x00000000001F4000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1588-127-0x0000000000000000-mapping.dmp
          Download
        • memory/1736-165-0x0000000000000000-mapping.dmp
          Download
        • memory/1940-134-0x0000000000000000-mapping.dmp
          Download
        • memory/2268-161-0x0000000000000000-mapping.dmp
          Download
        • memory/2364-141-0x0000000000000000-mapping.dmp
          Download
        • memory/2628-147-0x0000000000000000-mapping.dmp
          Download
        • memory/3000-153-0x0000000000000000-mapping.dmp
          Download
        • memory/3372-166-0x0000000000000000-mapping.dmp
          Download