Analysis
-
max time kernel
205s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 13:04
General
-
Target
15d24e4e0a2ec8e7b23736e331ebcb3ff7dc735babeb5f0610a06e868e51345a.exe
-
Size
352KB
-
MD5
195d3d302d1b26fcdcd8e955bdfb9a35
-
SHA1
db2464c6d6c5e113f968b88e258b66e19dd7755f
-
SHA256
15d24e4e0a2ec8e7b23736e331ebcb3ff7dc735babeb5f0610a06e868e51345a
-
SHA512
e22b960135bf78376edae983b0a0d8afe9d3733cca3179f739f7aaad9c2cc1627d849cbb505c8f0545ccac966aabd77cd9475ae1024e74391a7f7fc4b448ac1a
-
SSDEEP
6144:k9W1DrcgbeDhFJAMBkRzU+ojvIElX+p8EZZDm+96:vPcgq1FGMiRzfojvIppYq6
Malware Config
Signatures
-
Detect Neshta payload 18 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\15d24e4e0a2ec8e7b23736e331ebcb3ff7dc735babeb5f0610a06e868e51345a.exe"C:\Users\Admin\AppData\Local\Temp\15d24e4e0a2ec8e7b23736e331ebcb3ff7dc735babeb5f0610a06e868e51345a.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\15d24e4e0a2ec8e7b23736e331ebcb3ff7dc735babeb5f0610a06e868e51345a.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\15d24e4e0a2ec8e7b23736e331ebcb3ff7dc735babeb5f0610a06e868e51345a.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\system.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\system.exeC:\Users\Admin\system.exe4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\system.exe" "system.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeFilesize
982KB
MD54e8c731e3175d6d2f5085fe55974e1db
SHA174604823bd1e5af86d66e4986c1203f2bf26e657
SHA2568a8d0905d868bc8b3bbd3545de42b459b3b517bb874365f911ff05ae71f90325
SHA512a058948f7a82ca4c14ea41527c66918e7737776f7af65b00888f3c39de416397821861ba4e77cdb8a738bc0136462d1256bc6447f0d105d929831a2b47c87485
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeFilesize
664KB
MD5522c12509a9fde92565e673f2f47a0b9
SHA13cb06efb8b369eb72c55a83f2e89732a924a96f8
SHA2565cbea72c5565c342e07edfc8902eeea7cfb450362f2ce0cb7b1b184dbf72ef64
SHA512b112b9d568cf9c14cd289b1dc9dc173d800b0b70c63221cbcc326f6727d56027dcc7355599a0bc9a4c6d9abb39281456cc5a138f625147efef9819ebee9fea35
-
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEFilesize
178KB
MD5f1e707e6e6a6bd544e1f4c04dae68f0b
SHA17328d139b7378264796838c9b7ffedc233589cde
SHA25698764ffe0366a01ae235033054556e52d6061633dfb6fba210940c89500809d2
SHA51218a16bdb76f2749ed318873122b6e6374449d20cec4ae6a9fa1368a830a17064be266840dc89fe587ee0667b1d5b2942e32947a6e429109900816179ecdfe9cf
-
C:\PROGRA~2\Google\Update\DISABL~1.EXEFilesize
231KB
MD52a226fd810c5ce7b825ff7982bc22a0b
SHA158be5cb790336a8e751e91b1702a87fc0521a1d8
SHA256af9e01dab96c2a54e2751a0d703cc55fdcc5ac00c40f0be2e13fd85c09b66132
SHA512f122ce37b07871b88e322b0ca2e42f3170704d4165167d6d7b02883da9d2be5d2d62bdbd9f7e18d1c0c5e60e9e707a3b64ddb99150c99028333818dfa769deeb
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXEFilesize
179KB
MD5c3faf2d052b6f1d2a4950004278e5e76
SHA1f58531434952cc7ba2c9f55b4ad03beec9cd1ffb
SHA2569507ade9fdc6a4195cbb1fc18864d4f9feaee0079183b12215f58a3d31b027fe
SHA51270510254cde82024a86e4053e72afe523674efea79346e10beed328070b522940d1dd01dff5c19da23100c734d7edf77e762702535e2c58bc2952557dac38a0f
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{9B826~1\MicrosoftEdgeUpdateSetup_X86_1.3.165.21.exeFilesize
1.6MB
MD5c4f49ac29e45d7ea05722724437f20fd
SHA1147da727d43c478757de1d0d1f6750a6d6901c9a
SHA256b3800a972b7ce122a7ae264da0ab65f0448c6250561c3021a3859fcdf5af59b4
SHA5127d3cb239bc7da5458416e42246f7dfa09e2ca188a1f42c85429b78aa12671c5512435560aa62ccc84cdeebb1b64f2fef0f2af320b634177659372305bf11af85
-
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exeFilesize
534KB
MD53bf259392097b2c212b621a52da03706
SHA1c740b063803008e3d4bab51b8e2719c1f4027bf9
SHA25679538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160
SHA512186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
674KB
MD57656a9e9eca746b0b193804f287d4e9c
SHA17bd62dfcf9012b8ddb7209709101614a0be4efc1
SHA256afa2810184786e0a5036f25886bb2e1049a916c54137bf2a79f79154d01195bb
SHA512e880691a38474ae77be32db3da42cfcc804bc0610883cf5ea8911a7d333e47ec4335499b24834e4ab1cacd0d14185d916669a452d68c43bce90f7b975479ec06
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
715KB
MD54cf3954a39b7e27f364cbb5e58a3a957
SHA14498a5dea907da2b85e30bf6a1ebddfbaba2eb18
SHA256f24a6d80aff3ee9ee65a609376d1aa3fdb3a034847ebbc0e4e65ff20ab0893fb
SHA512d7dd8c5ad15dda561ae309fbf18e5ad2e852e951e937ea062cc0cb035df74ecb5a9aa636c6813aef37271268cedb1b3c5d39a8b6519fd54f5346445a2a9ef57d
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD531685b921fcd439185495e2bdc8c5ebf
SHA15d171dd1f2fc2ad55bde2e3c16a58abff07ae636
SHA2564798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c
SHA51204a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD5f6636e7fd493f59a5511f08894bba153
SHA13618061817fdf1155acc0c99b7639b30e3b6936c
SHA25661720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
536KB
MD53e8de969e12cd5e6292489a12a9834b6
SHA1285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA2567a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exeFilesize
1.7MB
MD5e25ffbddf046809226ea738583fd29f9
SHA1ebda60d1f49cd1c2559d6c0f0a760dac7f38ce98
SHA25691630469f3d18ebf1be43522b6dcb6547c3b67ab7a17a246e1b2122628dfcd80
SHA5124417cba81c77c2a60e448b69dc615574ed4862fd97af014ebdf3ffbdde8a6c9bc32aca4881f59037f908a67b674d9e49b817fc1e6865e8f08e374f36baade101
-
C:\Users\Admin\AppData\Local\Temp\3582-490\15d24e4e0a2ec8e7b23736e331ebcb3ff7dc735babeb5f0610a06e868e51345a.exeFilesize
311KB
MD5a9da88e876bdc10476ede5d97512d3ed
SHA1708a54690955642c8ee53547d470ccf7732170cd
SHA256a6b792153ab8afdc04ee567db62c9df9549019d95e4706df9b00948c65d9b8ca
SHA512b2465abedfeb40664a7e1ec2814ceae9e17cf7e6319844e6bc724a91d9581076469c64bc5aace2e991fba6812a18592e31646df0abbf105baeddad66f384dfd1
-
C:\Users\Admin\AppData\Local\Temp\3582-490\15d24e4e0a2ec8e7b23736e331ebcb3ff7dc735babeb5f0610a06e868e51345a.exeFilesize
311KB
MD5a9da88e876bdc10476ede5d97512d3ed
SHA1708a54690955642c8ee53547d470ccf7732170cd
SHA256a6b792153ab8afdc04ee567db62c9df9549019d95e4706df9b00948c65d9b8ca
SHA512b2465abedfeb40664a7e1ec2814ceae9e17cf7e6319844e6bc724a91d9581076469c64bc5aace2e991fba6812a18592e31646df0abbf105baeddad66f384dfd1
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\38A365~1.EXEFilesize
311KB
MD5a9da88e876bdc10476ede5d97512d3ed
SHA1708a54690955642c8ee53547d470ccf7732170cd
SHA256a6b792153ab8afdc04ee567db62c9df9549019d95e4706df9b00948c65d9b8ca
SHA512b2465abedfeb40664a7e1ec2814ceae9e17cf7e6319844e6bc724a91d9581076469c64bc5aace2e991fba6812a18592e31646df0abbf105baeddad66f384dfd1
-
C:\Users\Admin\system.exeFilesize
311KB
MD5a9da88e876bdc10476ede5d97512d3ed
SHA1708a54690955642c8ee53547d470ccf7732170cd
SHA256a6b792153ab8afdc04ee567db62c9df9549019d95e4706df9b00948c65d9b8ca
SHA512b2465abedfeb40664a7e1ec2814ceae9e17cf7e6319844e6bc724a91d9581076469c64bc5aace2e991fba6812a18592e31646df0abbf105baeddad66f384dfd1
-
C:\Users\Admin\system.exeFilesize
311KB
MD5a9da88e876bdc10476ede5d97512d3ed
SHA1708a54690955642c8ee53547d470ccf7732170cd
SHA256a6b792153ab8afdc04ee567db62c9df9549019d95e4706df9b00948c65d9b8ca
SHA512b2465abedfeb40664a7e1ec2814ceae9e17cf7e6319844e6bc724a91d9581076469c64bc5aace2e991fba6812a18592e31646df0abbf105baeddad66f384dfd1
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/432-144-0x0000000000000000-mapping.dmp
-
memory/1608-135-0x00007FF8CA490000-0x00007FF8CAEC6000-memory.dmpFilesize
10.2MB
-
memory/1608-132-0x0000000000000000-mapping.dmp
-
memory/2288-142-0x00007FF8CA490000-0x00007FF8CAEC6000-memory.dmpFilesize
10.2MB
-
memory/2288-140-0x0000000000000000-mapping.dmp
-
memory/5048-136-0x0000000000000000-mapping.dmp