Overview

overview

10

Static

static

c30f1695fe...31.exe

windows7-x64

10

c30f1695fe...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2022 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c30f1695fec5a70fa7137cb8b9883bc5b486edd2bb58267a2646d6ea8b22ef31.exe

  • Size

    1.5MB

  • MD5

    0a9b435e956bfdde213943ece43e96e0

  • SHA1

    6103632e4984d40d37fb663fd813275afbd62871

  • SHA256

    c30f1695fec5a70fa7137cb8b9883bc5b486edd2bb58267a2646d6ea8b22ef31

  • SHA512

    25a192a992b2d81f10ae8349dd6abd8fbc6ce88ef95f813fbb8309ef68e1a47412ac6f3b192a29f910756210358084e50dbebf0912c04b8eee2392c685ecd534

  • SSDEEP

    24576:x0fTYgB8JTFhrylf/gv/iqWL6xTuH84z+i7vzCTogVbPmcC:x0fTxB8JTFhIgv/isxTuHJCTog1mcC

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 2 IoCs
  • Registers COM server for autorun 1 TTPs 5 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c30f1695fec5a70fa7137cb8b9883bc5b486edd2bb58267a2646d6ea8b22ef31.exe
    "C:\Users\Admin\AppData\Local\Temp\c30f1695fec5a70fa7137cb8b9883bc5b486edd2bb58267a2646d6ea8b22ef31.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Users\Admin\AppData\Local\Temp\3582-490\c30f1695fec5a70fa7137cb8b9883bc5b486edd2bb58267a2646d6ea8b22ef31.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\c30f1695fec5a70fa7137cb8b9883bc5b486edd2bb58267a2646d6ea8b22ef31.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
        "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" /RegServer "/dll=C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.12.11510.1228\gtn.dll" "/swg64=C:\Program Files\Google\GoogleToolbarNotifier\5.12.11510.1228\swg64.dll"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe -s "C:\Program Files\Google\GoogleToolbarNotifier\5.12.11510.1228\swg64.dll"
          4⤵
          • Registers COM server for autorun
          • Loads dropped DLL
          • Modifies registry class
          PID:4540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.12.11510.1228\gtn.dll
    Filesize

    140KB

    MD5

    a2a751f1f440046769828c8f27f1885d

    SHA1

    c6594b688ea1cacf9ec867f5ad58c419e7440b9e

    SHA256

    91cb858f2a30cc23e25138d094a743206d765613c70b9a42e511caf32e8761a5

    SHA512

    1250e5d378f4766bf60463f81f7a732b66d94d45d613bac2825a985837a221fd54b6fe57344aeac74f4df9221c9f28a963d8d7c54e5442b3190841e1ff28523b

    Download Submit

  • C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.12.11510.1228\gtn.dll
    Filesize

    140KB

    MD5

    a2a751f1f440046769828c8f27f1885d

    SHA1

    c6594b688ea1cacf9ec867f5ad58c419e7440b9e

    SHA256

    91cb858f2a30cc23e25138d094a743206d765613c70b9a42e511caf32e8761a5

    SHA512

    1250e5d378f4766bf60463f81f7a732b66d94d45d613bac2825a985837a221fd54b6fe57344aeac74f4df9221c9f28a963d8d7c54e5442b3190841e1ff28523b

    Download Submit

  • C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.12.11510.1228\swg.dll
    Filesize

    914KB

    MD5

    d0c4c5ba3a95ee1a03ab1584d3bd4583

    SHA1

    a5864868ecb704a1202454dd9d2421a31a891fa1

    SHA256

    c7f7d193f353462e4a544538591d9c41bc9262e57d6a77d4b2c134fac8134614

    SHA512

    f28189950afc12e60b526ff4b1528d3ab7a190564fea350e69475dd08114aabe38abc580568a26c867328c274fd3974a3b280a9b38067457bdb69f0e1fde973e

    Download Submit

  • C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.12.11510.1228\swg.dll
    Filesize

    914KB

    MD5

    d0c4c5ba3a95ee1a03ab1584d3bd4583

    SHA1

    a5864868ecb704a1202454dd9d2421a31a891fa1

    SHA256

    c7f7d193f353462e4a544538591d9c41bc9262e57d6a77d4b2c134fac8134614

    SHA512

    f28189950afc12e60b526ff4b1528d3ab7a190564fea350e69475dd08114aabe38abc580568a26c867328c274fd3974a3b280a9b38067457bdb69f0e1fde973e

    Download Submit

  • C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    Filesize

    38KB

    MD5

    5d61be7db55b026a5d61a3eed09d0ead

    SHA1

    215950ce5d40907b041346f22b4e404ee591581d

    SHA256

    d32cc7b31a6f98c60abc313abc7d1143681f72de2bb2604711a0ba20710caaae

    SHA512

    b1dbb67867cbb36c322bd774bf01267f56e398e364ebce4bd6f67c225c330b0b1843b06397e55f7f04dcc8d75b039083ccf08313b0ed03ecff7eb00033b0a598

    Download Submit

  • C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    Filesize

    38KB

    MD5

    5d61be7db55b026a5d61a3eed09d0ead

    SHA1

    215950ce5d40907b041346f22b4e404ee591581d

    SHA256

    d32cc7b31a6f98c60abc313abc7d1143681f72de2bb2604711a0ba20710caaae

    SHA512

    b1dbb67867cbb36c322bd774bf01267f56e398e364ebce4bd6f67c225c330b0b1843b06397e55f7f04dcc8d75b039083ccf08313b0ed03ecff7eb00033b0a598

    Download Submit

  • C:\Program Files\Google\GoogleToolbarNotifier\5.12.11510.1228\swg64.dll
    Filesize

    245KB

    MD5

    8790afb502a5638af9769ebc0f93868a

    SHA1

    465bacf4cfff60bd5de57743ce3c106716d45b04

    SHA256

    40ec2b0fe7b98182d572fb5a031a1c77f5620e269fbab86d2a5afcb4499915f7

    SHA512

    80ca30c91d0d4a93830881623d72c24908551457551be9d5782ed8f6624e54d71eaa61de8dae23c627dd361eb3d038c0258bbd739b5be70bc026f27ac380ee9d

    Download Submit

  • C:\Program Files\Google\GoogleToolbarNotifier\5.12.11510.1228\swg64.dll
    Filesize

    245KB

    MD5

    8790afb502a5638af9769ebc0f93868a

    SHA1

    465bacf4cfff60bd5de57743ce3c106716d45b04

    SHA256

    40ec2b0fe7b98182d572fb5a031a1c77f5620e269fbab86d2a5afcb4499915f7

    SHA512

    80ca30c91d0d4a93830881623d72c24908551457551be9d5782ed8f6624e54d71eaa61de8dae23c627dd361eb3d038c0258bbd739b5be70bc026f27ac380ee9d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\c30f1695fec5a70fa7137cb8b9883bc5b486edd2bb58267a2646d6ea8b22ef31.exe
    Filesize

    1.5MB

    MD5

    0ceed1d533cae0741d56d83ab5cb004f

    SHA1

    f3a812a68f40a7c4d0b2135c011f86126d337d4e

    SHA256

    99f24e71da17715d2d9aefec8f3a35b545918bc483c3a1e998940c562f53c830

    SHA512

    a63e3f837dd57d7cf40cf3dd54b5ecccd27624052d3e0850110dff01d22b649a7d475d651e6501bb83043370d349defabc9f28694e41b4ab19a741a995103149

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\c30f1695fec5a70fa7137cb8b9883bc5b486edd2bb58267a2646d6ea8b22ef31.exe
    Filesize

    1.5MB

    MD5

    0ceed1d533cae0741d56d83ab5cb004f

    SHA1

    f3a812a68f40a7c4d0b2135c011f86126d337d4e

    SHA256

    99f24e71da17715d2d9aefec8f3a35b545918bc483c3a1e998940c562f53c830

    SHA512

    a63e3f837dd57d7cf40cf3dd54b5ecccd27624052d3e0850110dff01d22b649a7d475d651e6501bb83043370d349defabc9f28694e41b4ab19a741a995103149

    Download Submit

  • memory/2028-132-0x0000000000000000-mapping.dmp

    Download

  • memory/2232-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4540-142-0x0000000000000000-mapping.dmp

    Download