Overview

overview

10

Static

static

13a9d3c435...ee.exe

windows7-x64

10

13a9d3c435...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2022 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe

  • Size

    186KB

  • MD5

    5d7bde6e537b207b0a64ac6f7ce07ae9

  • SHA1

    18c7509eca18bc9534267f150875fdeade983973

  • SHA256

    13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee

  • SHA512

    2c165980ecec1ca820f3b396c4ef6305d933a40611867945fc1f4e380b648002f0fdd0b7971b3af2488e39a3ac73e8b8430c5bb2298d55e23aaf44e0f6eadd50

  • SSDEEP

    3072:zr8WDrCo4eOyVTGfhEClj8jTk+0hdQaIDjiPBAp5XhKpt:PuyOiTGfhEClq9gQ3jiSbXEt

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
    "C:\Users\Admin\AppData\Local\Temp\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Compan\New_\nitie_i_bluz.bat" "
        3⤵
        • Drops file in Drivers directory
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Compan\New_\slovi_volnui.vbs"
          4⤵
          • Drops file in Drivers directory
          PID:1748
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Compan\New_\sosni_tuntsai.vbs"
          4⤵
          • Blocklisted process makes network request
          PID:1912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Compan\New_\UNINST~1.EXE
    Filesize

    96KB

    MD5

    d71b13f92def297e825121f17af55cd3

    SHA1

    698b9ce199e11334bb9b9a3110fae69bc1a4fb32

    SHA256

    317f96042f7b48ce8d5e5390ff4755f2e7b2dae5a477bcc7da01c1e7a914500c

    SHA512

    f4de31bfbb44080edd6fb488207718ff2797668041874f4f9c55a325fdec15ac1f66274bb3b3ecac596ca96e2c0faca560a7f28d15db6c4e536a784c69d2bf5a

    Download Submit

  • C:\Program Files (x86)\Compan\New_\gutalinom.nah
    Filesize

    43B

    MD5

    f2e0e659880e05a882ab7647cb9f81e4

    SHA1

    a4c2100dec8a980ae6410cd317d4e8b79c1add73

    SHA256

    ca6dfb79fcd371341ca3a122c0afd880cbbdf4098ae20d5b96f7eb61ab3b9ac7

    SHA512

    bbfd4262363b6c8df745f82d9464b4a235d58f24413b75e4e63549e3b8155ccac6d63ac4647507be94f13557851d9fb92c2a576a12fbfe8b2d6981b0e55ff4ab

    Download Submit

  • C:\Program Files (x86)\Compan\New_\nitie_i_bluz.bat
    Filesize

    1KB

    MD5

    a971c2fd2e54e87d55c9ff7442579c6b

    SHA1

    5ab1c89daa6a47a31abd502023e5ab0b817cb849

    SHA256

    fc5474c031ad0b5f506422e1ea68ad7ee5eb715e6146b871370f6f2994107353

    SHA512

    e7f36cc7f9cfb2da46ef77a65f0fe8c38d47fa87e4570870c1993fa92b8a2328c4e6581c66d0112b072480366b3040ea8c6347174c61ec38386d1cb5627668df

    Download Submit

  • C:\Program Files (x86)\Compan\New_\silk.node
    Filesize

    27B

    MD5

    213c0742081a9007c9093a01760f9f8c

    SHA1

    df53bb518c732df777b5ce19fc7c02dcb2f9d81b

    SHA256

    9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

    SHA512

    55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

    Download Submit

  • C:\Program Files (x86)\Compan\New_\slovi_volnui.vbs
    Filesize

    791B

    MD5

    03e4ca9b64db726187d32b9e12e45780

    SHA1

    af3c46e082896d85eb823353e7a5ad8cf7eb17a9

    SHA256

    1f590ea497fa07551781282c316515b0d3f06dffa2c5d4f7743b9b5dae6fe236

    SHA512

    725a038c1c4b0ff4e6614886f16d8665d043e23a80256d4e4a07e9e9849919386d07bcc4983944119a2b17859870c410b94ce2932a59c47728bb55ded64252e7

    Download Submit

  • C:\Program Files (x86)\Compan\New_\sosni_tuntsai.vbs
    Filesize

    209B

    MD5

    375b55f0b4de79fcb39ba73232ec9dfb

    SHA1

    54b4610b1dc5bf5744070b52a7643d1de6627264

    SHA256

    508a3a6ccfc8608428f1b40eb303ad3daf579b903be40ec4d6d07731c09a1674

    SHA512

    d72a4b671ccf001388bde0ad4c5886e34bb8b3ff1a9b3faf1d0b40a70ba1c5ce6ed15b563895544b748fdf246de819b0a1b19dfc543a513d8bf6f0a2531d635e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
    Filesize

    146KB

    MD5

    5f1157f916fa7b1e7832ea96c6cde882

    SHA1

    3d44a1f32b461457232a0d3fd809e9885e70fe1a

    SHA256

    082433298a0e3c92abb5de601467d076786d5978382017b5703d2c14d1d56118

    SHA512

    7cbb13cf567c75302689ea28d63628bbd84e1983f24c808e11fd805e94225ec2b8b97aadfa7ef451956f4b211b7b1cf72cddcb8e86a5b4195c8f62be2a5348f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\13a9d3c435a380078b27af0fbc57649289ed908d1c88fcb0dc813aad216d02ee.exe
    Filesize

    146KB

    MD5

    5f1157f916fa7b1e7832ea96c6cde882

    SHA1

    3d44a1f32b461457232a0d3fd809e9885e70fe1a

    SHA256

    082433298a0e3c92abb5de601467d076786d5978382017b5703d2c14d1d56118

    SHA512

    7cbb13cf567c75302689ea28d63628bbd84e1983f24c808e11fd805e94225ec2b8b97aadfa7ef451956f4b211b7b1cf72cddcb8e86a5b4195c8f62be2a5348f3

    Download Submit

  • C:\Windows\System32\drivers\etc\hosts
    Filesize

    1KB

    MD5

    1b7d708bf2ac6a9f566e6e6e8589781f

    SHA1

    e093b867d1f6bca785d9276ae69d603b78404f78

    SHA256

    0b855cf5e07f170036368d5eda185c2e8b2574a51be4aa52f8daeeb23d6f7781

    SHA512

    f1d0472b9bc9483e7e678487b2bdf51c713621b7bdc06dbbb2bde924d8652e23af5642db2c365cef6e8708e94dd7412360b3076a4bb5c3e995d095a4442dff22

    Download Submit

  • memory/1748-139-0x0000000000000000-mapping.dmp

    Download

  • memory/1912-141-0x0000000000000000-mapping.dmp

    Download

  • memory/1976-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4788-135-0x0000000000000000-mapping.dmp

    Download