Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
14/09/2022, 12:00
General
-
Target
675d64751eefe9a2af4254a4f6957ac5.exe
-
Size
384KB
-
MD5
675d64751eefe9a2af4254a4f6957ac5
-
SHA1
6f96c406bb3acb1f7af7b120f43fcd8f526cb321
-
SHA256
cfa59023a6820fccfcd995c92427f3052bd161586efdc8aced27a2fa30dfbfeb
-
SHA512
6c7c140de71f7dbe292243c8d4c99a673b73e0852eafd7a083e410eeafd1c31216fa19528965d37079932d87ea9ac7e789fa77915f06c27d327925c10f204d64
-
SSDEEP
6144:jyH7xOc6H5c6HcT66vlmrbAFM9TXR1SHOCW4gGrPP5PbwL54jl59TBWAzNhALap7:ja74XTfCWTGrPxbs54x59TkVLapjj8M7
Malware Config
Signatures
-
Detect Neshta payload 2 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe"C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe"C:\Users\Admin\AppData\Local\Temp\675d64751eefe9a2af4254a4f6957ac5.exe"3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\675d64751eefe9a2af4254a4f6957ac5.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\675d64751eefe9a2af4254a4f6957ac5.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
308KB
MD53800a751f42521cef0dcbb71cfc3d751
SHA1e440644ff9153259e8b75dc847959fe4d05deb14
SHA2564711a133dd40644509ff34dd24b5710bfe014c29a4c57bf80b2b5b3a5efae57d
SHA5127d87e213afa5d9121ade09731b6c46cdb0b659b38e95b46890cc4818a3d8d3fffa7c0a257bad24300f6c7dd978045c3fddd7498386a6a935a39aac1120db06e5
-
Filesize
308KB
MD53800a751f42521cef0dcbb71cfc3d751
SHA1e440644ff9153259e8b75dc847959fe4d05deb14
SHA2564711a133dd40644509ff34dd24b5710bfe014c29a4c57bf80b2b5b3a5efae57d
SHA5127d87e213afa5d9121ade09731b6c46cdb0b659b38e95b46890cc4818a3d8d3fffa7c0a257bad24300f6c7dd978045c3fddd7498386a6a935a39aac1120db06e5
-
Filesize
348KB
MD57261d4747ef2cdf19a79deb39a1b7ace
SHA1b64ec1a2e39fbea735ca434154ea9f3e1ad1d70d
SHA256be9b998016024ccd05b7aae335dc4fbca32ed54dfb6087b9cdf75b1e6f72a004
SHA5128b046efb4fc5c679ab476011fb97b055ac23a464cf31fdf055a9bc784e6092c37e2f160aa511744457b0a72de80b071ff7dc74f9805a5049cd6f1d44dd32cd0b
-
Filesize
348KB
MD57261d4747ef2cdf19a79deb39a1b7ace
SHA1b64ec1a2e39fbea735ca434154ea9f3e1ad1d70d
SHA256be9b998016024ccd05b7aae335dc4fbca32ed54dfb6087b9cdf75b1e6f72a004
SHA5128b046efb4fc5c679ab476011fb97b055ac23a464cf31fdf055a9bc784e6092c37e2f160aa511744457b0a72de80b071ff7dc74f9805a5049cd6f1d44dd32cd0b
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b