Overview

overview

10

Static

static

10

fd9d171bcd...1b.exe

windows7-x64

10

fd9d171bcd...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd9d171bcdcc7750ca7cbdcb83c3210a0c17f67f8bf5050ff0c8b2298209251b.exe

  • Size

    84KB

  • MD5

    0f403373e7ea600c1af5a0ea93a0edd0

  • SHA1

    5900cbe589c6af13778e94431ae15058444dfcef

  • SHA256

    fd9d171bcdcc7750ca7cbdcb83c3210a0c17f67f8bf5050ff0c8b2298209251b

  • SHA512

    d9044bd74f142115a00ffb25d4be66f9389df9bd14c4f071a791ab20d052269c8dded29c36426d1152d88b40e5abd33532d4a6935be7cc136fbac99262f24eb5

  • SSDEEP

    1536:JxqjQ+P04wsmJCkA03k/zd2jrk12EmGWK:sr85CZd/zKa2EmLK

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd9d171bcdcc7750ca7cbdcb83c3210a0c17f67f8bf5050ff0c8b2298209251b.exe
    "C:\Users\Admin\AppData\Local\Temp\fd9d171bcdcc7750ca7cbdcb83c3210a0c17f67f8bf5050ff0c8b2298209251b.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\3582-490\fd9d171bcdcc7750ca7cbdcb83c3210a0c17f67f8bf5050ff0c8b2298209251b.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\fd9d171bcdcc7750ca7cbdcb83c3210a0c17f67f8bf5050ff0c8b2298209251b.exe"
      2⤵
      • Executes dropped EXE
      PID:1664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\fd9d171bcdcc7750ca7cbdcb83c3210a0c17f67f8bf5050ff0c8b2298209251b.exe
    Filesize

    44KB

    MD5

    b631ad67456cb884a1609593e93de136

    SHA1

    c2d1119638b2dc8a6e96e9cc13effea5c41b32dd

    SHA256

    6050a8a6b6f1d8505f64105b3a23ed22d63707b68fd0a272b6b0e68edf8fd604

    SHA512

    d2e78ae50b8d81d830b8171fa37a2206cb27c29b587e5e13f5cbd48408524008a087bf70764bf86f93e505e95c35cfbba9d82bb1d5bb348aec34fda34b15ac89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\fd9d171bcdcc7750ca7cbdcb83c3210a0c17f67f8bf5050ff0c8b2298209251b.exe
    Filesize

    44KB

    MD5

    b631ad67456cb884a1609593e93de136

    SHA1

    c2d1119638b2dc8a6e96e9cc13effea5c41b32dd

    SHA256

    6050a8a6b6f1d8505f64105b3a23ed22d63707b68fd0a272b6b0e68edf8fd604

    SHA512

    d2e78ae50b8d81d830b8171fa37a2206cb27c29b587e5e13f5cbd48408524008a087bf70764bf86f93e505e95c35cfbba9d82bb1d5bb348aec34fda34b15ac89

    Download Submit