Overview

overview

10

Static

static

675d64751e...c5.exe

windows7-x64

10

675d64751e...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2022, 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    675d64751eefe9a2af4254a4f6957ac5.exe

  • Size

    384KB

  • MD5

    675d64751eefe9a2af4254a4f6957ac5

  • SHA1

    6f96c406bb3acb1f7af7b120f43fcd8f526cb321

  • SHA256

    cfa59023a6820fccfcd995c92427f3052bd161586efdc8aced27a2fa30dfbfeb

  • SHA512

    6c7c140de71f7dbe292243c8d4c99a673b73e0852eafd7a083e410eeafd1c31216fa19528965d37079932d87ea9ac7e789fa77915f06c27d327925c10f204d64

  • SSDEEP

    6144:jyH7xOc6H5c6HcT66vlmrbAFM9TXR1SHOCW4gGrPP5PbwL54jl59TBWAzNhALap7:ja74XTfCWTGrPxbs54x59TkVLapjj8M7

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe
    "C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe
        "C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe"
        3⤵
        • Modifies system executable filetype association
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Users\Admin\AppData\Local\Temp\3582-490\675d64751eefe9a2af4254a4f6957ac5.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\675d64751eefe9a2af4254a4f6957ac5.exe"
          4⤵
          • Executes dropped EXE
          PID:1364
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
    Filesize

    1.1MB

    MD5

    15e2192b38b8c6162f477113b8ce027d

    SHA1

    673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

    SHA256

    4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

    SHA512

    d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\675d64751eefe9a2af4254a4f6957ac5.exe
    Filesize

    308KB

    MD5

    3800a751f42521cef0dcbb71cfc3d751

    SHA1

    e440644ff9153259e8b75dc847959fe4d05deb14

    SHA256

    4711a133dd40644509ff34dd24b5710bfe014c29a4c57bf80b2b5b3a5efae57d

    SHA512

    7d87e213afa5d9121ade09731b6c46cdb0b659b38e95b46890cc4818a3d8d3fffa7c0a257bad24300f6c7dd978045c3fddd7498386a6a935a39aac1120db06e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe
    Filesize

    348KB

    MD5

    7261d4747ef2cdf19a79deb39a1b7ace

    SHA1

    b64ec1a2e39fbea735ca434154ea9f3e1ad1d70d

    SHA256

    be9b998016024ccd05b7aae335dc4fbca32ed54dfb6087b9cdf75b1e6f72a004

    SHA512

    8b046efb4fc5c679ab476011fb97b055ac23a464cf31fdf055a9bc784e6092c37e2f160aa511744457b0a72de80b071ff7dc74f9805a5049cd6f1d44dd32cd0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe
    Filesize

    348KB

    MD5

    7261d4747ef2cdf19a79deb39a1b7ace

    SHA1

    b64ec1a2e39fbea735ca434154ea9f3e1ad1d70d

    SHA256

    be9b998016024ccd05b7aae335dc4fbca32ed54dfb6087b9cdf75b1e6f72a004

    SHA512

    8b046efb4fc5c679ab476011fb97b055ac23a464cf31fdf055a9bc784e6092c37e2f160aa511744457b0a72de80b071ff7dc74f9805a5049cd6f1d44dd32cd0b

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • \MSOCache\ALLUSE~1\{9A861~1\ose.exe
    Filesize

    145KB

    MD5

    9d10f99a6712e28f8acd5641e3a7ea6b

    SHA1

    835e982347db919a681ba12f3891f62152e50f0d

    SHA256

    70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

    SHA512

    2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

    Download Submit

  • \MSOCache\ALLUSE~1\{9A861~1\setup.exe
    Filesize

    1.1MB

    MD5

    15e2192b38b8c6162f477113b8ce027d

    SHA1

    673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

    SHA256

    4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

    SHA512

    d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\675d64751eefe9a2af4254a4f6957ac5.exe
    Filesize

    308KB

    MD5

    3800a751f42521cef0dcbb71cfc3d751

    SHA1

    e440644ff9153259e8b75dc847959fe4d05deb14

    SHA256

    4711a133dd40644509ff34dd24b5710bfe014c29a4c57bf80b2b5b3a5efae57d

    SHA512

    7d87e213afa5d9121ade09731b6c46cdb0b659b38e95b46890cc4818a3d8d3fffa7c0a257bad24300f6c7dd978045c3fddd7498386a6a935a39aac1120db06e5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\675d64751eefe9a2af4254a4f6957ac5.exe
    Filesize

    308KB

    MD5

    3800a751f42521cef0dcbb71cfc3d751

    SHA1

    e440644ff9153259e8b75dc847959fe4d05deb14

    SHA256

    4711a133dd40644509ff34dd24b5710bfe014c29a4c57bf80b2b5b3a5efae57d

    SHA512

    7d87e213afa5d9121ade09731b6c46cdb0b659b38e95b46890cc4818a3d8d3fffa7c0a257bad24300f6c7dd978045c3fddd7498386a6a935a39aac1120db06e5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe
    Filesize

    348KB

    MD5

    7261d4747ef2cdf19a79deb39a1b7ace

    SHA1

    b64ec1a2e39fbea735ca434154ea9f3e1ad1d70d

    SHA256

    be9b998016024ccd05b7aae335dc4fbca32ed54dfb6087b9cdf75b1e6f72a004

    SHA512

    8b046efb4fc5c679ab476011fb97b055ac23a464cf31fdf055a9bc784e6092c37e2f160aa511744457b0a72de80b071ff7dc74f9805a5049cd6f1d44dd32cd0b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe
    Filesize

    348KB

    MD5

    7261d4747ef2cdf19a79deb39a1b7ace

    SHA1

    b64ec1a2e39fbea735ca434154ea9f3e1ad1d70d

    SHA256

    be9b998016024ccd05b7aae335dc4fbca32ed54dfb6087b9cdf75b1e6f72a004

    SHA512

    8b046efb4fc5c679ab476011fb97b055ac23a464cf31fdf055a9bc784e6092c37e2f160aa511744457b0a72de80b071ff7dc74f9805a5049cd6f1d44dd32cd0b

    Download Submit

  • memory/960-61-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

    Filesize

    8KB

    Download