Overview

overview

10

Static

static

10

bb165f0a69...07.exe

windows7-x64

10

bb165f0a69...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2022 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb165f0a69bbbf5efc9cea4e17f21ea976b3ee1d265102ae586f63a1b7baf807.exe

  • Size

    104KB

  • MD5

    1a89d146fcff1aa4354a5a2dd53e0260

  • SHA1

    6b84394d6ea23a2a41a9886e9c8ea2d6ed67701e

  • SHA256

    bb165f0a69bbbf5efc9cea4e17f21ea976b3ee1d265102ae586f63a1b7baf807

  • SHA512

    489af3d23f116fcd8f0003cb37606248621e507b9d87727c20d09a08c4f26e5e4a3701f464863c6fcf83300bef37d4e40dd92a34bde57f6834b9e59c562ba5a7

  • SSDEEP

    1536:JxqjQ+P04wsmJCLM9oaBjEf29o41ahfkNpgpHzb9dZVX9fHMvG0D3XJDp1C:sr85CLMJEO9o4s0gXdZt9P6D3XJD3C

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb165f0a69bbbf5efc9cea4e17f21ea976b3ee1d265102ae586f63a1b7baf807.exe
    "C:\Users\Admin\AppData\Local\Temp\bb165f0a69bbbf5efc9cea4e17f21ea976b3ee1d265102ae586f63a1b7baf807.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\3582-490\bb165f0a69bbbf5efc9cea4e17f21ea976b3ee1d265102ae586f63a1b7baf807.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bb165f0a69bbbf5efc9cea4e17f21ea976b3ee1d265102ae586f63a1b7baf807.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
        "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3582-490\
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1360

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\bb165f0a69bbbf5efc9cea4e17f21ea976b3ee1d265102ae586f63a1b7baf807.exe
    Filesize

    63KB

    MD5

    a1b1820b110cbce7ab4bdf61a7320a4d

    SHA1

    6120046598fc4278110dd07be83a6f22f27aa7c4

    SHA256

    31c571e2795b8c6b7c840b101f7703afbc53a4a37b1baf18f27f288f3069cf4c

    SHA512

    a4102e0f22fd855a73c4debe604168c4f4ca1710d7beec1cf4c4d5629764fc5571f65ab3246806ba0153cd0c496ad4e659fdbb3a01e0912a3ede3ca80b272eb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\bb165f0a69bbbf5efc9cea4e17f21ea976b3ee1d265102ae586f63a1b7baf807.exe
    Filesize

    63KB

    MD5

    a1b1820b110cbce7ab4bdf61a7320a4d

    SHA1

    6120046598fc4278110dd07be83a6f22f27aa7c4

    SHA256

    31c571e2795b8c6b7c840b101f7703afbc53a4a37b1baf18f27f288f3069cf4c

    SHA512

    a4102e0f22fd855a73c4debe604168c4f4ca1710d7beec1cf4c4d5629764fc5571f65ab3246806ba0153cd0c496ad4e659fdbb3a01e0912a3ede3ca80b272eb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nse6E12.tmp\inetc.dll
    Filesize

    20KB

    MD5

    f02155fa3e59a8fc48a74a236b2bb42e

    SHA1

    6d76ee8f86fb29f3352c9546250d940f1a476fb8

    SHA256

    096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999

    SHA512

    8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    63KB

    MD5

    a1b1820b110cbce7ab4bdf61a7320a4d

    SHA1

    6120046598fc4278110dd07be83a6f22f27aa7c4

    SHA256

    31c571e2795b8c6b7c840b101f7703afbc53a4a37b1baf18f27f288f3069cf4c

    SHA512

    a4102e0f22fd855a73c4debe604168c4f4ca1710d7beec1cf4c4d5629764fc5571f65ab3246806ba0153cd0c496ad4e659fdbb3a01e0912a3ede3ca80b272eb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    Filesize

    63KB

    MD5

    a1b1820b110cbce7ab4bdf61a7320a4d

    SHA1

    6120046598fc4278110dd07be83a6f22f27aa7c4

    SHA256

    31c571e2795b8c6b7c840b101f7703afbc53a4a37b1baf18f27f288f3069cf4c

    SHA512

    a4102e0f22fd855a73c4debe604168c4f4ca1710d7beec1cf4c4d5629764fc5571f65ab3246806ba0153cd0c496ad4e659fdbb3a01e0912a3ede3ca80b272eb5

    Download Submit

  • memory/1360-135-0x0000000000000000-mapping.dmp

    Download

  • memory/2256-132-0x0000000000000000-mapping.dmp

    Download