Overview

overview

10

Static

static

3588af3f2e...5c.exe

windows7_x64

10

3588af3f2e...5c.exe

windows10-2004_x64

3

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    26-06-2022 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe

  • Size

    298KB

  • MD5

    1a89b7d4fb8ded72e1f8e81ee9352262

  • SHA1

    3124893ffd96050e924ad003704c6144fde50ac3

  • SHA256

    3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c

  • SHA512

    77edf5e933116f190d8aec898c53d2ce93b8f12a1e5991eb2eb94f2c8527a82744308a5c093a238cf1d04de63080f2b37e167343531931c2e682e404a0ec2f0a

Score
10/10
neshtapersistencespywarestealervmprotect

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    canon222.aiq.ru
  • Port:
    21
  • Username:
    u380797
  • Password:
    wly1fs7n

Signatures

  • Detect Neshta Payload 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 7 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe
    "C:\Users\Admin\AppData\Local\Temp\3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exe
      "C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer http://adf.ly/40h0K
          4⤵
            PID:1588
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:700
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://adf.ly/40h0K
        2⤵
        • Modifies Internet Explorer settings
        PID:1396
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1248

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe
      Filesize

      236KB

      MD5

      c7a400dd9d4d867012a84e1210cf4855

      SHA1

      971caac7e21e94e90cfaf6747a46c200679443df

      SHA256

      71c542218e3d2b04386b020f5ebf02402c5e40cd0b4ba0b2e07771ee6620483d

      SHA512

      88ed2d8d6b4572f351b4da8263c254701af7df1755843c98ebcd0cf9e9b6929085a29cae59511a92da026ee671e69cff2d33f24c5e7dd0b66f366da4ef1710f8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe
      Filesize

      236KB

      MD5

      c7a400dd9d4d867012a84e1210cf4855

      SHA1

      971caac7e21e94e90cfaf6747a46c200679443df

      SHA256

      71c542218e3d2b04386b020f5ebf02402c5e40cd0b4ba0b2e07771ee6620483d

      SHA512

      88ed2d8d6b4572f351b4da8263c254701af7df1755843c98ebcd0cf9e9b6929085a29cae59511a92da026ee671e69cff2d33f24c5e7dd0b66f366da4ef1710f8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exe
      Filesize

      276KB

      MD5

      ceaf625fcce888f1ee609aa9023f5059

      SHA1

      4ffa529a3c6fca78c65ad89b6f16aef7519b983e

      SHA256

      f95206dc9a1f5c922256752180d79c961aaf2d87db84c8accfcbcea35e434ca7

      SHA512

      e463d764566f5f695438e773e0bd789ccf9c249b50993a07fe48a289bd8dd41fed4fb27211e343fbae5eb3e81d5a5b55574219d43a5c7d7ce8f5e1a2da5a964f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exe
      Filesize

      276KB

      MD5

      ceaf625fcce888f1ee609aa9023f5059

      SHA1

      4ffa529a3c6fca78c65ad89b6f16aef7519b983e

      SHA256

      f95206dc9a1f5c922256752180d79c961aaf2d87db84c8accfcbcea35e434ca7

      SHA512

      e463d764566f5f695438e773e0bd789ccf9c249b50993a07fe48a289bd8dd41fed4fb27211e343fbae5eb3e81d5a5b55574219d43a5c7d7ce8f5e1a2da5a964f

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe
      Filesize

      236KB

      MD5

      c7a400dd9d4d867012a84e1210cf4855

      SHA1

      971caac7e21e94e90cfaf6747a46c200679443df

      SHA256

      71c542218e3d2b04386b020f5ebf02402c5e40cd0b4ba0b2e07771ee6620483d

      SHA512

      88ed2d8d6b4572f351b4da8263c254701af7df1755843c98ebcd0cf9e9b6929085a29cae59511a92da026ee671e69cff2d33f24c5e7dd0b66f366da4ef1710f8

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe
      Filesize

      236KB

      MD5

      c7a400dd9d4d867012a84e1210cf4855

      SHA1

      971caac7e21e94e90cfaf6747a46c200679443df

      SHA256

      71c542218e3d2b04386b020f5ebf02402c5e40cd0b4ba0b2e07771ee6620483d

      SHA512

      88ed2d8d6b4572f351b4da8263c254701af7df1755843c98ebcd0cf9e9b6929085a29cae59511a92da026ee671e69cff2d33f24c5e7dd0b66f366da4ef1710f8

      Download Submit
    • \Users\Admin\AppData\Local\Temp\aimbot 21.0.exe
      Filesize

      276KB

      MD5

      ceaf625fcce888f1ee609aa9023f5059

      SHA1

      4ffa529a3c6fca78c65ad89b6f16aef7519b983e

      SHA256

      f95206dc9a1f5c922256752180d79c961aaf2d87db84c8accfcbcea35e434ca7

      SHA512

      e463d764566f5f695438e773e0bd789ccf9c249b50993a07fe48a289bd8dd41fed4fb27211e343fbae5eb3e81d5a5b55574219d43a5c7d7ce8f5e1a2da5a964f

      Download Submit
    • \Users\Admin\AppData\Local\Temp\aimbot 21.0.exe
      Filesize

      276KB

      MD5

      ceaf625fcce888f1ee609aa9023f5059

      SHA1

      4ffa529a3c6fca78c65ad89b6f16aef7519b983e

      SHA256

      f95206dc9a1f5c922256752180d79c961aaf2d87db84c8accfcbcea35e434ca7

      SHA512

      e463d764566f5f695438e773e0bd789ccf9c249b50993a07fe48a289bd8dd41fed4fb27211e343fbae5eb3e81d5a5b55574219d43a5c7d7ce8f5e1a2da5a964f

      Download Submit
    • memory/700-95-0x000007FEFC511000-0x000007FEFC513000-memory.dmp
      Filesize

      8KB

      Download
    • memory/912-57-0x0000000000000000-mapping.dmp
      Download
    • memory/912-71-0x0000000002640000-0x00000000026BB000-memory.dmp
      Filesize

      492KB

      Download
    • memory/912-72-0x0000000002640000-0x00000000026BB000-memory.dmp
      Filesize

      492KB

      Download
    • memory/1244-66-0x0000000000400000-0x000000000047B000-memory.dmp
      Filesize

      492KB

      Download
    • memory/1244-73-0x0000000000400000-0x000000000047B000-memory.dmp
      Filesize

      492KB

      Download
    • memory/1244-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1244-96-0x0000000000400000-0x000000000047B000-memory.dmp
      Filesize

      492KB

      Download
    • memory/1588-92-0x0000000000000000-mapping.dmp
      Download
    • memory/1588-94-0x00000000720A1000-0x00000000720A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1824-70-0x0000000000400000-0x0000000000493000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1824-54-0x0000000075E31000-0x0000000075E33000-memory.dmp
      Filesize

      8KB

      Download