Overview

overview

10

Static

static

363b294f31...b5.exe

windows7-x64

10

363b294f31...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2022 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe

  • Size

    507KB

  • MD5

    3e273632856cdaf6171def30af3ddba0

  • SHA1

    8b7f007bf6ba22dcd385f927a6e64f0ba15e584e

  • SHA256

    363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5

  • SHA512

    57661903687e4eeaea1e665fbffaa9dbe49f7597e73f2f68cad03e60d656d8917ede3b1dc05abf0e0d5d6788caa79b417a20dcb7cbe5ed0cac1662de259a5818

  • SSDEEP

    12288:jayti3n8BcaaNHiI7XHgZQKhJgeCmefHq0HHebl:jaN8xaNHtLHgZpJEhJH6l

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe
    "C:\Users\Admin\AppData\Local\Temp\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe
        "C:\Users\Admin\AppData\Local\Temp\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe"
        3⤵
        • Modifies system executable filetype association
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Users\Admin\AppData\Local\Temp\3582-490\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe"
          4⤵
          • Executes dropped EXE
          PID:2096
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe
    Filesize

    431KB

    MD5

    1f0e05dff4f5a833168e49be1256f002

    SHA1

    130651909b0d5130bd4eb6ea27334896b6191d47

    SHA256

    a858267572033c185293b0fd15b2bfda679d0771a14c0adf24461b529dbad8df

    SHA512

    f1b25b18ad18fd6974f353b6e1c2bccd34bd28416818cbf5214b41f0925146d09dba8b98d0458ade83de1480933928107b4d2e4032afa72aafe4fefbabf890dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe
    Filesize

    431KB

    MD5

    1f0e05dff4f5a833168e49be1256f002

    SHA1

    130651909b0d5130bd4eb6ea27334896b6191d47

    SHA256

    a858267572033c185293b0fd15b2bfda679d0771a14c0adf24461b529dbad8df

    SHA512

    f1b25b18ad18fd6974f353b6e1c2bccd34bd28416818cbf5214b41f0925146d09dba8b98d0458ade83de1480933928107b4d2e4032afa72aafe4fefbabf890dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe
    Filesize

    471KB

    MD5

    acf2bcdf5e120d29297655eb3cdf1c0b

    SHA1

    5ec04a267799432a74438c2cc1aba01a49d658f1

    SHA256

    8452afe4ce1415fa9c276e112278534ceb41bf6036514ba336bdee42821055f1

    SHA512

    98c43af6d91c483de8d08c81a4f139bbe9c228c0eb1ec916397b2bdef35c065ba979a5515d0c1bec89c7116a61426e89285d8bb21a56a705c6ac4c4b9c38d8a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\363b294f310c6a4578d1d4fc5bc2fbdfcab2b2e6ee033c0fa44f11430b574db5.exe
    Filesize

    471KB

    MD5

    acf2bcdf5e120d29297655eb3cdf1c0b

    SHA1

    5ec04a267799432a74438c2cc1aba01a49d658f1

    SHA256

    8452afe4ce1415fa9c276e112278534ceb41bf6036514ba336bdee42821055f1

    SHA512

    98c43af6d91c483de8d08c81a4f139bbe9c228c0eb1ec916397b2bdef35c065ba979a5515d0c1bec89c7116a61426e89285d8bb21a56a705c6ac4c4b9c38d8a4

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • memory/1260-132-0x0000000000000000-mapping.dmp

    Download

  • memory/2096-139-0x0000000000000000-mapping.dmp

    Download

  • memory/5016-135-0x0000000000000000-mapping.dmp

    Download