Overview

overview

10

Static

static

186ee2b0fb...ec.exe

windows7_x64

10

186ee2b0fb...ec.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    17-11-2021 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    186ee2b0fbae609d44351da0241dd0ec.exe

  • Size

    900KB

  • MD5

    186ee2b0fbae609d44351da0241dd0ec

  • SHA1

    24a9e98e48c1b5a62cc01456fd7eb2d2782d4f90

  • SHA256

    6315729f81fe55e4121e212fe2fb769e9cfbfba2178df45be066d5921817e371

  • SHA512

    e52df0cb502fa5269c994cee6b231ab48935f68be1beed9db1b4c3a96425a7868f4d6dac6b1353d88a025992200063cc7c86ad6289939075e1b570e2cbd97b52

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe
    "C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe
      "C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"
      2⤵
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:3676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1960-115-0x0000000000610000-0x0000000000611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-117-0x00000000053B0000-0x00000000053B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-118-0x0000000004F50000-0x0000000004F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-119-0x0000000004F30000-0x0000000004F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-120-0x0000000004EB0000-0x00000000053AE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1960-121-0x00000000051D0000-0x00000000051D7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1960-122-0x0000000007700000-0x0000000007701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-123-0x00000000078A0000-0x0000000007902000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1960-124-0x0000000007910000-0x0000000007950000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3676-125-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3676-126-0x0000000000408178-mapping.dmp
    Download
  • memory/3676-127-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download