Overview

overview

10

Static

static

10

a6ea425a92...d8.exe

windows7_x64

10

a6ea425a92...d8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    9s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6ea425a92683ca05ed518cb36ccc7046b81eba5321ce6888329d0b78fcb87d8.exe

  • Size

    390KB

  • MD5

    142f6784b75b36009895d619c005ef2b

  • SHA1

    e0b1d1d523babe73cce2c5d585a19f73b871732d

  • SHA256

    a6ea425a92683ca05ed518cb36ccc7046b81eba5321ce6888329d0b78fcb87d8

  • SHA512

    6710731f379e4c6c526b1c94d99d3c786714a2a7c529ae7a3d8aad6e6139f92b63d46f319f79a7c4dae233cef2586640c6f36aae8461f6db524e8bc4ae222574

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6ea425a92683ca05ed518cb36ccc7046b81eba5321ce6888329d0b78fcb87d8.exe
    "C:\Users\Admin\AppData\Local\Temp\a6ea425a92683ca05ed518cb36ccc7046b81eba5321ce6888329d0b78fcb87d8.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a6ea425a92683ca05ed518cb36ccc7046b81eba5321ce6888329d0b78fcb87d8.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a6ea425a92683ca05ed518cb36ccc7046b81eba5321ce6888329d0b78fcb87d8.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\a6ea425a92683ca05ed518cb36ccc7046b81eba5321ce6888329d0b78fcb87d8.exe
    Filesize

    350KB

    MD5

    844f84f505ee4d0e1677111de114eedc

    SHA1

    d8763eaf5b642e4e74dd94b91e165236ed7619c9

    SHA256

    d088a3269203827c095c827b8cfe545ab9a39d7dae9853343b7639ed5a47ce4a

    SHA512

    04e51cc70074b06b7152c2075af822b0c47db24a6378694f0d863b0c8484c4ad9b2ae3a1d6d9d68b2ab2f727c42664bae0d13b7cd511253d62f6e42ae8d428ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\a6ea425a92683ca05ed518cb36ccc7046b81eba5321ce6888329d0b78fcb87d8.exe
    Filesize

    350KB

    MD5

    844f84f505ee4d0e1677111de114eedc

    SHA1

    d8763eaf5b642e4e74dd94b91e165236ed7619c9

    SHA256

    d088a3269203827c095c827b8cfe545ab9a39d7dae9853343b7639ed5a47ce4a

    SHA512

    04e51cc70074b06b7152c2075af822b0c47db24a6378694f0d863b0c8484c4ad9b2ae3a1d6d9d68b2ab2f727c42664bae0d13b7cd511253d62f6e42ae8d428ab

    Download Submit

  • memory/2876-130-0x0000000000000000-mapping.dmp

    Download