Overview

overview

10

Static

static

10

bcde9e1719...2a.exe

windows7_x64

10

bcde9e1719...2a.exe

windows10_x64

10

Analysis

  • max time kernel
    201s
  • max time network
    218s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-01-2022 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe

  • Size

    4.1MB

  • MD5

    d6e27197a91b203abf9d53e5efc1848c

  • SHA1

    d12a1d69d0afeac94913aca59e5d7e8f2099288e

  • SHA256

    bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a

  • SHA512

    002eabbb5e5087cc0015c579691b2a4f93a02532d7b0e379075143a16f0a938319ad292625aa141c7467707e39a1d8825593b74a71ca02cd01f419fa7369bf64

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe
    "C:\Users\Admin\AppData\Local\Temp\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\3582-490\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe"
      2⤵
      • Executes dropped EXE
      PID:4036

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe
    MD5

    5efbf9c8aff4e52db51ad1713ff4567b

    SHA1

    2a2214b1e97d832817fe0e2f3a3824df2bc0b8fb

    SHA256

    3e64d064e56fec78714b245353ccdac8423e95d2ebe103511934a309487b4fd5

    SHA512

    f4b38b593747884234bb572e6b05e97a91152ad61dfab9f9417d5b0e276e3267abca7b9d94365e5452ffcfcdc091f41cd547615827413442666ebc1587c7d8ef

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe
    MD5

    5efbf9c8aff4e52db51ad1713ff4567b

    SHA1

    2a2214b1e97d832817fe0e2f3a3824df2bc0b8fb

    SHA256

    3e64d064e56fec78714b245353ccdac8423e95d2ebe103511934a309487b4fd5

    SHA512

    f4b38b593747884234bb572e6b05e97a91152ad61dfab9f9417d5b0e276e3267abca7b9d94365e5452ffcfcdc091f41cd547615827413442666ebc1587c7d8ef

    Download Submit