Analysis
-
max time kernel
160s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
06-09-2022 21:34
General
-
Target
d04efe3df296392aff917f485e0c3897.exe
-
Size
5.5MB
-
MD5
d04efe3df296392aff917f485e0c3897
-
SHA1
1719eb1e23ab98027be23e4aef1b47950cc5dd4f
-
SHA256
968070cf4750158e7a88a559b8ca82c0a98866f77857c4dab8e55bcd32fc61df
-
SHA512
66dabe6f1d39b9635e5838fc68200cc952ba5b324efcb00290670230379bba989dc29ff1134b82da711cddea00697ec8078617126656a86ae8f57b27b7b931e1
-
SSDEEP
98304:KSiZkzOZrfJR+kCmzc8qdaMg5geYy05sZH6m9JPmlm5uRHzy+Il+crfMWHvZkby5:RzyDJEszedaR5ge1JMmnPmlXBzuXr/HZ
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d04efe3df296392aff917f485e0c3897.exe"C:\Users\Admin\AppData\Local\Temp\d04efe3df296392aff917f485e0c3897.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d04efe3df296392aff917f485e0c3897.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d04efe3df296392aff917f485e0c3897.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5QCO8.tmp\d04efe3df296392aff917f485e0c3897.tmp"C:\Users\Admin\AppData\Local\Temp\is-5QCO8.tmp\d04efe3df296392aff917f485e0c3897.tmp" /SL5="$110056,4772887,898560,C:\Users\Admin\AppData\Local\Temp\3582-490\d04efe3df296392aff917f485e0c3897.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-U6SDB.tmp\closeapp.exe"C:\Users\Admin\AppData\Local\Temp\is-U6SDB.tmp\closeapp.exe" StartupStar4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD578b3ab2789f5f3e517acca846d8b951c
SHA16094cc5fe49b6bd9388748b99fdedab121643a73
SHA256117653c1f77dabca9652c2eb2ae9e63538083d4f135bb6400c8e1ea886d0b1c1
SHA5127b9eedb86ab887c37aa0c8c93279aea832dbbd98dc8cfa1e42156d5150e7c483ad3095f8540c8aeba04306ae64c734d746c7b946daca71e02274e01a4c6959b8
-
Filesize
5.5MB
MD578b3ab2789f5f3e517acca846d8b951c
SHA16094cc5fe49b6bd9388748b99fdedab121643a73
SHA256117653c1f77dabca9652c2eb2ae9e63538083d4f135bb6400c8e1ea886d0b1c1
SHA5127b9eedb86ab887c37aa0c8c93279aea832dbbd98dc8cfa1e42156d5150e7c483ad3095f8540c8aeba04306ae64c734d746c7b946daca71e02274e01a4c6959b8
-
Filesize
3.1MB
MD5caf2a370fad05970f8a562cdfde6ac90
SHA1c657362c34bcb45ccb2cc4db42a6de6fb8547c6f
SHA256155a3f8e5fd95e92b0665f59233df532786cab5922e743b1171aeb478e09f481
SHA512ad8456b43d1cc7d5fc34af7c9c5cf4105ac7707984aecfce3fd04495d5bfadfd73216bcec78fbe6cf47338ee6b450d49ac05b3641fb861467d4d87ef25197ef2
-
Filesize
227KB
MD59a2bbf4de6279c9321969c6257f48939
SHA14fdf355fa10fbd61c1d4c47e21e66b09493a1621
SHA25640e33b4ded6db4e96b7ba89770b248d62ffd5f9175e2e0b58692084ce3b91a10
SHA5123afd50668327f518e0d5dfe8200f43ee29cdf8dea8667e31131005e1d0e67acb96f4c218b2ab1f7a3ee926bf600b57b046b5c21ba40de779acc03d130087a4cc
-
Filesize
227KB
MD59a2bbf4de6279c9321969c6257f48939
SHA14fdf355fa10fbd61c1d4c47e21e66b09493a1621
SHA25640e33b4ded6db4e96b7ba89770b248d62ffd5f9175e2e0b58692084ce3b91a10
SHA5123afd50668327f518e0d5dfe8200f43ee29cdf8dea8667e31131005e1d0e67acb96f4c218b2ab1f7a3ee926bf600b57b046b5c21ba40de779acc03d130087a4cc
-
Filesize
164KB
MD5735c1b6a6233ac5eca5eabb6edb8de3e
SHA1fbea3d1230f3cac2f1b67141fa0706ccc5e52759
SHA25617415e672d167bb83f865a73e0c399696f1d953edf43a21e55cf79c4e5320d23
SHA5129f3c933ce3a8d9799ee7de091f84a57b3f13f0bef23c28e8a26e7287dc6c37393a704785d3fa72c83c966f6d3431c30c2164e699d2149caff0799da7385a0060
-
-
Filesize
932KB
-
Filesize
932KB
-
Filesize
932KB
-
-