Overview

overview

10

Static

static

10

faa2575a69...71.exe

windows7-x64

10

faa2575a69...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    faa2575a69e2ace3f31fd12e055bcd62e99a0581c27e10e81a62c518a1676271.exe

  • Size

    136KB

  • MD5

    43129af9a35950bda6543b7bc95ddc52

  • SHA1

    bf3215a555868125e598bb8851b3fbda55e26bea

  • SHA256

    faa2575a69e2ace3f31fd12e055bcd62e99a0581c27e10e81a62c518a1676271

  • SHA512

    807ab29e14088fbade1e36631c5589469b19bd3fab6280634e84d6fdc284d83e6e3753944fb7a46637c755f9d7a12b0092518acf002982cfba35c5f8f7b08f9c

  • SSDEEP

    1536:JxqjQ+P04wsmJCRp/i55b8MfoN5MEjhNbo6FG5Z:sr85CRp/Abp8dY6FG5Z

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\faa2575a69e2ace3f31fd12e055bcd62e99a0581c27e10e81a62c518a1676271.exe
    "C:\Users\Admin\AppData\Local\Temp\faa2575a69e2ace3f31fd12e055bcd62e99a0581c27e10e81a62c518a1676271.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4912
    • C:\Users\Admin\AppData\Local\Temp\3582-490\faa2575a69e2ace3f31fd12e055bcd62e99a0581c27e10e81a62c518a1676271.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\faa2575a69e2ace3f31fd12e055bcd62e99a0581c27e10e81a62c518a1676271.exe"
      2⤵
      • Executes dropped EXE
      PID:2868

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\faa2575a69e2ace3f31fd12e055bcd62e99a0581c27e10e81a62c518a1676271.exe
    Filesize

    96KB

    MD5

    e8daa0b7989b7d4dc11541a0c8919d20

    SHA1

    a03eb714ec70fb9f0d031b0966111902ed6c026d

    SHA256

    5dc11658f0b73da5727a14487193ff2a64396d8804869670e388239b28d5af30

    SHA512

    0a049af034f571b24026c4d4c37299278515a2583d6956b9b8d95bd5b356e5800aa594ad244438db30dfdde2d8f48dc1f8b4d20e9effc5e97a21a5e05222849c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\faa2575a69e2ace3f31fd12e055bcd62e99a0581c27e10e81a62c518a1676271.exe
    Filesize

    96KB

    MD5

    e8daa0b7989b7d4dc11541a0c8919d20

    SHA1

    a03eb714ec70fb9f0d031b0966111902ed6c026d

    SHA256

    5dc11658f0b73da5727a14487193ff2a64396d8804869670e388239b28d5af30

    SHA512

    0a049af034f571b24026c4d4c37299278515a2583d6956b9b8d95bd5b356e5800aa594ad244438db30dfdde2d8f48dc1f8b4d20e9effc5e97a21a5e05222849c

    Download Submit

  • memory/2868-135-0x0000000000000000-mapping.dmp

    Download