Overview

overview

10

Static

static

tmp/606514...17.exe

windows7_x64

10

tmp/606514...17.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-12-2021 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp/6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe

  • Size

    855KB

  • MD5

    521447b36c3c0b8c123e149e9aee2eb3

  • SHA1

    de9cfbd7807bcfef61790670b4e94f2c8d352ac9

  • SHA256

    02323ad7d39bea5d5e736d6a66e31840542cf2c75f265b46b501ed2452cef2ce

  • SHA512

    cc411a82c357916cd6e6fb52d34ded67c95fe4657da6a07ab3770cb11d601c8dfa28ffe0b10c66962851c22d582e789ad8334af93c5f1fa0df0a3905e571a69b

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta Payload 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\tmp\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Users\Admin\AppData\Local\Temp\tmp\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe"
        3⤵
        • Modifies system executable filetype association
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3156
        • C:\Users\Admin\AppData\Local\Temp\3582-490\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Windows\svchost.exe
            "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe"
            5⤵
            • Executes dropped EXE
            PID:364
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe
    MD5

    d07e4c1e3e5fb72f6f94cb7def8faccf

    SHA1

    70f6af812d215fb52b9c819dc3e7578d2be7674d

    SHA256

    ac11fac48d49f4676ef5b49432cb9b0cd860525f704440c2edeec6db44cd75d7

    SHA512

    d8b7f5976ab436e5642667ff95525edc01a7f0219564b6f3de99e30fc6a9218f59acd7dfa158dcbd5c72242670f4d169999ea252e4b5b743057485e605448a04

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe
    MD5

    d07e4c1e3e5fb72f6f94cb7def8faccf

    SHA1

    70f6af812d215fb52b9c819dc3e7578d2be7674d

    SHA256

    ac11fac48d49f4676ef5b49432cb9b0cd860525f704440c2edeec6db44cd75d7

    SHA512

    d8b7f5976ab436e5642667ff95525edc01a7f0219564b6f3de99e30fc6a9218f59acd7dfa158dcbd5c72242670f4d169999ea252e4b5b743057485e605448a04

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe
    MD5

    fc531a15121713ceee1177bbd099768f

    SHA1

    17d22dcd9e702c8f0611ac58be69026f77f35329

    SHA256

    91d34a3a04fb550000f564c89e98b284896f1c472cfd0caa558ce41edd96d695

    SHA512

    06107f27c1bd78cb425e205259408f35c5522f4b2562dd49aec62f20dd34987b860809fd38c6ff2319df4bf18d9e8902d0e40cc57a5ed2b7eb58c4dd74043f22

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp\6065149a-4e5b-4b4f-a1e4-095f1751bf4e_1017.exe
    MD5

    fc531a15121713ceee1177bbd099768f

    SHA1

    17d22dcd9e702c8f0611ac58be69026f77f35329

    SHA256

    91d34a3a04fb550000f564c89e98b284896f1c472cfd0caa558ce41edd96d695

    SHA512

    06107f27c1bd78cb425e205259408f35c5522f4b2562dd49aec62f20dd34987b860809fd38c6ff2319df4bf18d9e8902d0e40cc57a5ed2b7eb58c4dd74043f22

    Download Submit
  • C:\Windows\svchost.exe
    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit
  • C:\Windows\svchost.exe
    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit
  • C:\Windows\svchost.exe
    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit
  • C:\Windows\svchost.exe
    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit
  • memory/364-125-0x0000000000000000-mapping.dmp
    Download
  • memory/2260-122-0x0000000000000000-mapping.dmp
    Download
  • memory/3156-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3608-115-0x0000000000000000-mapping.dmp
    Download