Overview

overview

10

Static

static

10

4a72325c4b...21.exe

windows7_x64

10

4a72325c4b...21.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a72325c4b02a7766c3704a21a6852ec020a2cdcea921cebbe09ce4ed1ee8021.exe

  • Size

    2.9MB

  • MD5

    7ff0209df97c2298170ced643485f3c8

  • SHA1

    f78379a5aa3641e38079649f78b29b7aefe1adc3

  • SHA256

    4a72325c4b02a7766c3704a21a6852ec020a2cdcea921cebbe09ce4ed1ee8021

  • SHA512

    9ab6bfbd3c6533b3c11e35955a71913ec7bfa1934fbee805df61244fc6556acbe569afbcc852937b26ed7220de303e88c454e68e4b83242dccfe7ff30a9101c9

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a72325c4b02a7766c3704a21a6852ec020a2cdcea921cebbe09ce4ed1ee8021.exe
    "C:\Users\Admin\AppData\Local\Temp\4a72325c4b02a7766c3704a21a6852ec020a2cdcea921cebbe09ce4ed1ee8021.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\3582-490\4a72325c4b02a7766c3704a21a6852ec020a2cdcea921cebbe09ce4ed1ee8021.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\4a72325c4b02a7766c3704a21a6852ec020a2cdcea921cebbe09ce4ed1ee8021.exe"
      2⤵
      • Executes dropped EXE
      PID:3380
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe e35d4047da3f449cb1506f884ac9788d NZEgRxQceUqaoGTnPodVoA.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\4a72325c4b02a7766c3704a21a6852ec020a2cdcea921cebbe09ce4ed1ee8021.exe
    MD5

    8a4d1bbe6f65383ad167a8c81fb19df0

    SHA1

    82a30d1513d9b233d247906edc37638e5ad473a8

    SHA256

    09d9023bb6c8e9e48bbdb236b3c15fc535c0ebd5915d1490ec6d987da75688b6

    SHA512

    3ca78b75aa49c6db7758f88cfd1bcde989225f6bed2dc773c18cce3be460217c74c49c4b938e0b28301d6f1b13beccb3a22c2445d7429a0699891a1d9f2801db

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\4a72325c4b02a7766c3704a21a6852ec020a2cdcea921cebbe09ce4ed1ee8021.exe
    MD5

    8a4d1bbe6f65383ad167a8c81fb19df0

    SHA1

    82a30d1513d9b233d247906edc37638e5ad473a8

    SHA256

    09d9023bb6c8e9e48bbdb236b3c15fc535c0ebd5915d1490ec6d987da75688b6

    SHA512

    3ca78b75aa49c6db7758f88cfd1bcde989225f6bed2dc773c18cce3be460217c74c49c4b938e0b28301d6f1b13beccb3a22c2445d7429a0699891a1d9f2801db

    Download Submit