Overview

overview

10

Static

static

10

6b36249e44...0b.exe

windows7-x64

10

6b36249e44...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2022 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b36249e44e14d67a29a6650b266c689d8b367e6f6963029684f1495bc6a8c0b.exe

  • Size

    485KB

  • MD5

    5eb956fad6e1c3762391c800f1df39e0

  • SHA1

    ea7ad866bfa997f39cb4e2ebaedd953fd05beb69

  • SHA256

    6b36249e44e14d67a29a6650b266c689d8b367e6f6963029684f1495bc6a8c0b

  • SHA512

    aa445d9d147444f9a8af5451bf4a21f799c75c419e18077560cba0458d8fc9538f1493956d122a42e8346f82b970d61af5d6f9346ebbea6eb04b5d2ff46fa3bd

  • SSDEEP

    6144:k98Vb3aZfhQuSZa5z42qGjZy2D+a48g4vKGggHSawol8Utv55DHt5Fsp6Yr681jM:5b3aVhQxsURG7gLZo8cvl

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b36249e44e14d67a29a6650b266c689d8b367e6f6963029684f1495bc6a8c0b.exe
    "C:\Users\Admin\AppData\Local\Temp\6b36249e44e14d67a29a6650b266c689d8b367e6f6963029684f1495bc6a8c0b.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Users\Admin\AppData\Local\Temp\3582-490\6b36249e44e14d67a29a6650b266c689d8b367e6f6963029684f1495bc6a8c0b.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\6b36249e44e14d67a29a6650b266c689d8b367e6f6963029684f1495bc6a8c0b.exe"
      2⤵
      • Executes dropped EXE
      PID:4844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 608
        3⤵
        • Program crash
        PID:4592
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4844 -ip 4844
    1⤵
      PID:2168

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\6b36249e44e14d67a29a6650b266c689d8b367e6f6963029684f1495bc6a8c0b.exe
      Filesize

      444KB

      MD5

      1108b166160d6023af76435b074052b6

      SHA1

      7538372af2b7dc03f908a94cba7d046d301c805e

      SHA256

      52b032521b4cd24a4268472bcff3be42fd8166a5cc5993b89f79575aa0279666

      SHA512

      f12dea253197375dbbe06d9c51d4016abdbe4f8f5cdd756880e53c211412ae19a2d23f2cc8cd0c39b6b2675cc4085d64070569c23e7c411b859dca073973797b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\6b36249e44e14d67a29a6650b266c689d8b367e6f6963029684f1495bc6a8c0b.exe
      Filesize

      444KB

      MD5

      1108b166160d6023af76435b074052b6

      SHA1

      7538372af2b7dc03f908a94cba7d046d301c805e

      SHA256

      52b032521b4cd24a4268472bcff3be42fd8166a5cc5993b89f79575aa0279666

      SHA512

      f12dea253197375dbbe06d9c51d4016abdbe4f8f5cdd756880e53c211412ae19a2d23f2cc8cd0c39b6b2675cc4085d64070569c23e7c411b859dca073973797b

      Download Submit
    • memory/4844-132-0x0000000000000000-mapping.dmp
      Download