Overview

overview

10

Static

static

10

5145dacb24...93.exe

windows7_x64

10

5145dacb24...93.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    108s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5145dacb24cf625240c5798b092be13e5a2674b4fc226d4ccab11495d025b993.exe

  • Size

    567KB

  • MD5

    77919d56ebbb4e411250024bb5932437

  • SHA1

    348ed6271efe7195984e277e8e094fd7b9587e3c

  • SHA256

    5145dacb24cf625240c5798b092be13e5a2674b4fc226d4ccab11495d025b993

  • SHA512

    5e45496aa83b3a306fd1ccb8505ff9406f4ac3f640762cf90e6a735c7fc223868c653ebd004accd1a63fbed4008038e636731ef6220d0990bb97b4c50959ee96

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5145dacb24cf625240c5798b092be13e5a2674b4fc226d4ccab11495d025b993.exe
    "C:\Users\Admin\AppData\Local\Temp\5145dacb24cf625240c5798b092be13e5a2674b4fc226d4ccab11495d025b993.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Users\Admin\AppData\Local\Temp\3582-490\5145dacb24cf625240c5798b092be13e5a2674b4fc226d4ccab11495d025b993.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\5145dacb24cf625240c5798b092be13e5a2674b4fc226d4ccab11495d025b993.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:4716

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\5145dacb24cf625240c5798b092be13e5a2674b4fc226d4ccab11495d025b993.exe
    Filesize

    527KB

    MD5

    dd720c9ed3800189333311c3dcb04b7f

    SHA1

    e0ecf01c5ee0a17696e76ca773f73a9edb2d8211

    SHA256

    d80c933d2d39efd3e6ed61513d952e7fb64f1a574ede9fb5bf93b33d232ca71a

    SHA512

    f828638b600f6da6ae4c72be8511d7e150b3671f7e7e740140dcb3ee49adae5c84a696a06c79b6b2309298211ca335ae4a7d6e59c6d74663e388539c5cac52d4

    Download Submit
  • memory/4716-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4716-132-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4716-133-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4716-134-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4716-135-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4716-136-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4716-137-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4716-138-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4716-139-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4716-140-0x00000000011B0000-0x00000000011C0000-memory.dmp
    Filesize

    64KB

    Download