Overview

overview

10

Static

static

10

216fa36977...fe.exe

windows7-x64

10

216fa36977...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2022 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    216fa369774dd554fc536556999893572f27e54457c6b52c763893ce892bb7fe.exe

  • Size

    96KB

  • MD5

    67bd3277b2a10f1976ca8302b792b190

  • SHA1

    45fedd8df546c024a68193ff6ec565514724a916

  • SHA256

    216fa369774dd554fc536556999893572f27e54457c6b52c763893ce892bb7fe

  • SHA512

    db55fa1dd32e437b23a4963617f5b285a0c930c745c61874600934bedfb164a12f8003e57b1c4ed5406d1c8d10a38ddb006b795cccdbdd0c40dbd2ed05bbbfbc

  • SSDEEP

    1536:JxqjQ+P04wsmJC0O8JaxELQGmA73dhfp:sr85C+DLQtA7Nhp

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\216fa369774dd554fc536556999893572f27e54457c6b52c763893ce892bb7fe.exe
    "C:\Users\Admin\AppData\Local\Temp\216fa369774dd554fc536556999893572f27e54457c6b52c763893ce892bb7fe.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Users\Admin\AppData\Local\Temp\3582-490\216fa369774dd554fc536556999893572f27e54457c6b52c763893ce892bb7fe.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\216fa369774dd554fc536556999893572f27e54457c6b52c763893ce892bb7fe.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4800

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\216fa369774dd554fc536556999893572f27e54457c6b52c763893ce892bb7fe.exe
    Filesize

    55KB

    MD5

    0355e05993d4991e40c90cb82b1f362a

    SHA1

    6efe46d1c149ba02c57374c8b5a869f2ff5eb3dd

    SHA256

    64c4c3e69d916e3d02361ba17b26a161c55257e6189ca2e7490dd3c67765ce6b

    SHA512

    4153004732086ea9dcb2acc4e8e8ad331ca92e3677518fffd45962d72447a86bc6307e3bebeed9f53bff7565cd879251cf58600a9436fb67f47b4645fc228af5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\216fa369774dd554fc536556999893572f27e54457c6b52c763893ce892bb7fe.exe
    Filesize

    55KB

    MD5

    0355e05993d4991e40c90cb82b1f362a

    SHA1

    6efe46d1c149ba02c57374c8b5a869f2ff5eb3dd

    SHA256

    64c4c3e69d916e3d02361ba17b26a161c55257e6189ca2e7490dd3c67765ce6b

    SHA512

    4153004732086ea9dcb2acc4e8e8ad331ca92e3677518fffd45962d72447a86bc6307e3bebeed9f53bff7565cd879251cf58600a9436fb67f47b4645fc228af5

    Download Submit

  • memory/4800-132-0x0000000000000000-mapping.dmp

    Download