Overview

overview

10

Static

static

10

3dec858cab...94.exe

windows7-x64

10

3dec858cab...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    222s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe

  • Size

    101KB

  • MD5

    73c3b1ed77b34f3521b9c4ec3b1d8025

  • SHA1

    ee9dd2e2ddb20d4d4ef1e869f10284f42ca881b3

  • SHA256

    3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894

  • SHA512

    736cb56a67a3767730ce41e09ba878ee56454fbde70a22f8d9112ab95a2c48a3ff3d63394d35f0651b0ade434a01390b86f145b77acd0024cf2c631da8d09f8c

  • SSDEEP

    1536:JxqjQ+P04wsmJCIcdHGe/jITeo/Mds0S1Kq7w7DXP:sr85CIcBGe/jITeokdK1187D/

Score
10/10
neshtaevasionpersistencespyware

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 42 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe
    "C:\Users\Admin\AppData\Local\Temp\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\3582-490\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
          C:\Users\Admin\AppData\Local\Temp\Trojan.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4784
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            PID:2728
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 1280
            5⤵
              PID:1172

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
      Filesize

      982KB

      MD5

      4e8c731e3175d6d2f5085fe55974e1db

      SHA1

      74604823bd1e5af86d66e4986c1203f2bf26e657

      SHA256

      8a8d0905d868bc8b3bbd3545de42b459b3b517bb874365f911ff05ae71f90325

      SHA512

      a058948f7a82ca4c14ea41527c66918e7737776f7af65b00888f3c39de416397821861ba4e77cdb8a738bc0136462d1256bc6447f0d105d929831a2b47c87485

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe
      Filesize

      61KB

      MD5

      7a292a3626d43c9b9de3e3cde8320334

      SHA1

      a10b7e2117faccc4c46fd859143e5b14f8700d69

      SHA256

      4c48fdffe1d4d21fe51ec53dc4046d54fb1af4c3f32818f17eef272e8ef9b919

      SHA512

      f73a12cab3536e295fea2aced1587398e079378471884f08407f48810c3a879c1e3a0382d778ec28635c1daac5b8d65d20a8d63e0edd261a54a4d783a83f1cda

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\3dec858cab70ff3b6868e479c434327dcdea0271861c83103b5aa6a1a010d894.exe
      Filesize

      61KB

      MD5

      7a292a3626d43c9b9de3e3cde8320334

      SHA1

      a10b7e2117faccc4c46fd859143e5b14f8700d69

      SHA256

      4c48fdffe1d4d21fe51ec53dc4046d54fb1af4c3f32818f17eef272e8ef9b919

      SHA512

      f73a12cab3536e295fea2aced1587398e079378471884f08407f48810c3a879c1e3a0382d778ec28635c1daac5b8d65d20a8d63e0edd261a54a4d783a83f1cda

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      Filesize

      61KB

      MD5

      7a292a3626d43c9b9de3e3cde8320334

      SHA1

      a10b7e2117faccc4c46fd859143e5b14f8700d69

      SHA256

      4c48fdffe1d4d21fe51ec53dc4046d54fb1af4c3f32818f17eef272e8ef9b919

      SHA512

      f73a12cab3536e295fea2aced1587398e079378471884f08407f48810c3a879c1e3a0382d778ec28635c1daac5b8d65d20a8d63e0edd261a54a4d783a83f1cda

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      Filesize

      61KB

      MD5

      7a292a3626d43c9b9de3e3cde8320334

      SHA1

      a10b7e2117faccc4c46fd859143e5b14f8700d69

      SHA256

      4c48fdffe1d4d21fe51ec53dc4046d54fb1af4c3f32818f17eef272e8ef9b919

      SHA512

      f73a12cab3536e295fea2aced1587398e079378471884f08407f48810c3a879c1e3a0382d778ec28635c1daac5b8d65d20a8d63e0edd261a54a4d783a83f1cda

      Download Submit
    • C:\Windows\5qfsNWybqKe0UvWe
      Filesize

      40B

      MD5

      81bdc05093573219d3999ea0bcf716e3

      SHA1

      89aef63d71557f1995f79a029073a13546b7dca7

      SHA256

      36ac5faac9bb21a817c629bb00eecbcd7991a66313efc825150b74f809b04884

      SHA512

      f196dda8b05f09cde36cee56473077892ad5d1e1d25cba0fb392983f32b9db22199ffc821d8e904602bb921e08e907916065a2d40157be721088e1c27f6d95e6

      Download Submit
    • C:\Windows\svchost.com
      Filesize

      40KB

      MD5

      36fd5e09c417c767a952b4609d73a54b

      SHA1

      299399c5a2403080a5bf67fb46faec210025b36d

      SHA256

      980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

      SHA512

      1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

      Download Submit
    • C:\Windows\svchost.com
      Filesize

      40KB

      MD5

      36fd5e09c417c767a952b4609d73a54b

      SHA1

      299399c5a2403080a5bf67fb46faec210025b36d

      SHA256

      980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

      SHA512

      1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

      Download Submit
    • C:\odt\OFFICE~1.EXE
      Filesize

      5.1MB

      MD5

      02c3d242fe142b0eabec69211b34bc55

      SHA1

      ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

      SHA256

      2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

      SHA512

      0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

      Download Submit
    • memory/1172-150-0x0000000000000000-mapping.dmp
      Download
    • memory/1948-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2728-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3676-143-0x0000000073400000-0x00000000739B1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3676-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3676-136-0x0000000073400000-0x00000000739B1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3676-135-0x0000000073400000-0x00000000739B1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4784-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4784-145-0x0000000073400000-0x00000000739B1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4784-149-0x0000000073400000-0x00000000739B1000-memory.dmp
      Filesize

      5.7MB

      Download