Overview

overview

10

Static

static

10

473d933ff8...a8.exe

windows7-x64

10

473d933ff8...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2022 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8.exe

  • Size

    904KB

  • MD5

    28db73628b722ab0f2aeb1dea5b8b7c0

  • SHA1

    d73366acf93e07bbdb7e86970f49954acff70935

  • SHA256

    473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8

  • SHA512

    5efe4a95cbd69bc01efa0b12ce335b1109699ca97c2ceaebf6d83c1749b38656c6dd9df8fc8a30b60b9553761db20671ec89b9fce989831c2affbcb394029778

  • SSDEEP

    24576:X84VpQVJdqZC3ChK19b+5BTNSmkMx9oGUS+c0M:X84DSkCyib+55oRYUS+cv

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8.exe
    "C:\Users\Admin\AppData\Local\Temp\473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\3582-490\473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Program Files (x86)\GUMA935.tmp\GoogleUpdate.exe
        "C:\Program Files (x86)\GUMA935.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={A008A217-A0EA-2497-F0BD-C8E59E9E5DFC}&lang=ar&browser=3&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&installdataindex=defaultbrowser"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5048

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\GUMA935.tmp\GOB742~1.EXE
    Filesize

    315KB

    MD5

    537e23fcc09567dfd93c7e5335cc2c5a

    SHA1

    95899805889cbb3299095e6019fd9f316e97c51a

    SHA256

    58d5808755ec556f9af23f5439c697717a0221a3e0a67403d13621853623c12f

    SHA512

    4c795ef3a58d42af0be2f173f7b134ad75416d94c7118296ab66d70b72544d3355b6cce219f62d4e0991c45efa9e4986c1eea7f0c9a4088c95046c39e56d07a1

    Download Submit

  • C:\PROGRA~2\GUMA935.tmp\GOBD5D~1.EXE
    Filesize

    152KB

    MD5

    74e2215ae09c315499afe3b12c03b6b8

    SHA1

    df9a22834daa814de4328ac56dee5a2b01fdf952

    SHA256

    f04174e9880390b4410f4ee647530d8ef5db66933ded5ecb269e8884264706c7

    SHA512

    0dce3fcaea1dc83c033efc6212ce2db05de78c776285fbe083f51a1637947a51c622d03ae2673b6ca1999636c8c6094e27be79c67397037bc428ed5c9a3a6faf

    Download Submit

  • C:\PROGRA~2\GUMA935.tmp\GOFB2B~1.EXE
    Filesize

    904KB

    MD5

    28db73628b722ab0f2aeb1dea5b8b7c0

    SHA1

    d73366acf93e07bbdb7e86970f49954acff70935

    SHA256

    473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8

    SHA512

    5efe4a95cbd69bc01efa0b12ce335b1109699ca97c2ceaebf6d83c1749b38656c6dd9df8fc8a30b60b9553761db20671ec89b9fce989831c2affbcb394029778

    Download Submit

  • C:\PROGRA~2\GUMA935.tmp\GOOGLE~2.EXE
    Filesize

    223KB

    MD5

    7e6b107120108b3a15bfece0de3201db

    SHA1

    21b3e0b348cd3c382f6be65de4b0999c27d8a59f

    SHA256

    80e38dd0a8bd05c62e3569a916f50f0596f0c44a8f7ee56f44e101138b59858e

    SHA512

    f5da75fd6cec3116428a65019d5971337f602d2a795c3496fc6a23d5c5d55842986adc96e7e3f1a20fde925e2df06ad26cac4b38f80b34c73ea9ffab50dcb7db

    Download Submit

  • C:\PROGRA~2\GUMA935.tmp\GOOGLE~3.EXE
    Filesize

    90KB

    MD5

    358e249ad35007e59c8a13d597fd9230

    SHA1

    6fbe9a0442783f011f26113aaf0f691fb075163d

    SHA256

    0c91cedf32d2d627e43270a91e308eebfa088ea7526f843845947f2766c08c69

    SHA512

    4ebc0fef6d18b35c75e68fa6bb9ab1899da9570a4b58401ee42dbcaa6263c21afb5895b0e60111aa561e494e6af205239c22076a9f0cf98a15d993c1aa0d7df9

    Download Submit

  • C:\PROGRA~2\GUMA935.tmp\GOOGLE~4.EXE
    Filesize

    90KB

    MD5

    1945f631714c7662e358f017c089adf8

    SHA1

    daff4f3e33bd1d03ec140530f8552519070c5f2e

    SHA256

    aa18c3bb9b54edbaa7d9581357f23fac0bae99ca99446fed47d9be3d51cf695f

    SHA512

    2502cf15619709765e8b33c8ae571a46aac3bf27fc8197d03dbb24bdba96cc837cdeac6c4c0771a77507b5f7e338ece3f62c28a47f3c4faab7bf4c380c767259

    Download Submit

  • C:\Program Files (x86)\GUMA935.tmp\GoogleUpdate.exe
    Filesize

    113KB

    MD5

    506708142bc63daba64f2d3ad1dcd5bf

    SHA1

    d30e8c7543adbc801d675068530b57d75cabb13f

    SHA256

    9c36a08d9e7932ff4da7b5f24e6b42c92f28685b8abe964c870e8d7670fd531a

    SHA512

    a6e16f0de64b1500fbb2c7974a5efd40e8768b6c133f8ef367725a5c82b3b38c300dd65fa159b4a5f15413b0843a1e37416550ec89749ec1cf5cfae73dcc01ab

    Download Submit

  • C:\Program Files (x86)\GUMA935.tmp\GoogleUpdate.exe
    Filesize

    113KB

    MD5

    506708142bc63daba64f2d3ad1dcd5bf

    SHA1

    d30e8c7543adbc801d675068530b57d75cabb13f

    SHA256

    9c36a08d9e7932ff4da7b5f24e6b42c92f28685b8abe964c870e8d7670fd531a

    SHA512

    a6e16f0de64b1500fbb2c7974a5efd40e8768b6c133f8ef367725a5c82b3b38c300dd65fa159b4a5f15413b0843a1e37416550ec89749ec1cf5cfae73dcc01ab

    Download Submit

  • C:\Program Files (x86)\GUMA935.tmp\goopdate.dll
    Filesize

    1.6MB

    MD5

    0928b9c3f2193ee265aa5e9b163d96eb

    SHA1

    4c15a19527bf3d2d8e522d99c863c15947df7633

    SHA256

    e2044c1098602441657fcbe2661180a7d3e450b5d8ed42410010ac89f866cf45

    SHA512

    0811b073bb0c2a2d6cae983317c370a6894b3e94ef984839d6262c376956ac6a53991d22df7584aa3e7a916928833a9067b85fb8f3945bdc99dd8557cdde2673

    Download Submit

  • C:\Program Files (x86)\GUMA935.tmp\goopdate.dll
    Filesize

    1.6MB

    MD5

    0928b9c3f2193ee265aa5e9b163d96eb

    SHA1

    4c15a19527bf3d2d8e522d99c863c15947df7633

    SHA256

    e2044c1098602441657fcbe2661180a7d3e450b5d8ed42410010ac89f866cf45

    SHA512

    0811b073bb0c2a2d6cae983317c370a6894b3e94ef984839d6262c376956ac6a53991d22df7584aa3e7a916928833a9067b85fb8f3945bdc99dd8557cdde2673

    Download Submit

  • C:\Program Files (x86)\GUMA935.tmp\goopdateres_ar.dll
    Filesize

    34KB

    MD5

    05e505fba546536493625827f2584910

    SHA1

    2f79b388b556a535d8ddd6d2a668042876c974bd

    SHA256

    6cd01a0c3b5b3aaea3e8dee1ec3a8feb343aa60a48f4a3a90ba9cfdff4c6c78e

    SHA512

    fc271d8ef4a761ee92ae4097032977c7145961c1fe0a6d7273db5f96d75036cbeb23e8bd691655d60fd41d851cb8f0e673c7e0ddccf1b3c136fe7661917be43a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8.exe
    Filesize

    863KB

    MD5

    2acc293cfee514b698450863511d339a

    SHA1

    280ad8568c262d34dd6f3044cf8b8c5fa9ede6b5

    SHA256

    7759c287d13c49d26484b3b37d493f71e9698708a51f407d64f283aad98f82d6

    SHA512

    02b401f568b129c12a92a23236f7d01fd40cccbd0e6ed7fb979d58d90a3c10340a5f0a35bb60afa5f04b284adc252be2c61619b5392d1ecbb0688aae3892e844

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\473d933ff8ddb3a4139861b415e790ac4319bc217871950b20796ad13d169fa8.exe
    Filesize

    863KB

    MD5

    2acc293cfee514b698450863511d339a

    SHA1

    280ad8568c262d34dd6f3044cf8b8c5fa9ede6b5

    SHA256

    7759c287d13c49d26484b3b37d493f71e9698708a51f407d64f283aad98f82d6

    SHA512

    02b401f568b129c12a92a23236f7d01fd40cccbd0e6ed7fb979d58d90a3c10340a5f0a35bb60afa5f04b284adc252be2c61619b5392d1ecbb0688aae3892e844

    Download Submit

  • memory/2708-132-0x0000000000000000-mapping.dmp

    Download

  • memory/5048-135-0x0000000000000000-mapping.dmp

    Download