Overview

overview

10

Static

static

10

d08e310d63...0a.exe

windows7-x64

10

d08e310d63...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe

  • Size

    159KB

  • MD5

    5e1327f7036a7a432da69e47e61fc7b0

  • SHA1

    a886f14639dc174864330e5a4344b56f9d43b467

  • SHA256

    d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a

  • SHA512

    cd14759c2f012357ed70112e8947edac6ec6f80e546ad5dd5d1eebfb01b85f9775ea24f6e5bf6a0e61fd0ead1e118cf5f9f23e1f3c89d941519ffa907b0fa116

  • SSDEEP

    3072:sr85CZxwGdGq0ElNTO+HmVfchlsugJDoPysVinrRqBYMmJohcX8J:k9TwGd1DN/H8f9oPysViSDXhcX8J

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
    "C:\Users\Admin\AppData\Local\Temp\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Users\Admin\AppData\Local\Temp\3582-490\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Users\Admin\AppData\Local\Temp\Server.exe
          C:\Users\Admin\AppData\Local\Temp\Server.exe
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4948
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Windows\Chrome.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Windows\Chrome.exe
              C:\Windows\Chrome.exe
              6⤵
              • Executes dropped EXE
              PID:3196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
    Filesize

    118KB

    MD5

    d25bdff6d3851ab65de0cdcfdde00374

    SHA1

    edf43f729b4ec9f234f46b59ff3c1e0205481779

    SHA256

    e34dd42c0134047595b0075b8bd90acb42676ff54cf941812d47c341787d2a4d

    SHA512

    d4cee253069fc95d049c93b0269b6f62f191dbef96ece3fffb6d63702daf35160fb468f756acf2e0ee44bb81e997aa6f5c1d8e62cfa560e0f61aab098bb02d98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
    Filesize

    118KB

    MD5

    d25bdff6d3851ab65de0cdcfdde00374

    SHA1

    edf43f729b4ec9f234f46b59ff3c1e0205481779

    SHA256

    e34dd42c0134047595b0075b8bd90acb42676ff54cf941812d47c341787d2a4d

    SHA512

    d4cee253069fc95d049c93b0269b6f62f191dbef96ece3fffb6d63702daf35160fb468f756acf2e0ee44bb81e997aa6f5c1d8e62cfa560e0f61aab098bb02d98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    78KB

    MD5

    02329f96ab9ff4b04a08a2766605b63a

    SHA1

    988fc4dbd1f74f31c019ac70024eae243e9787c2

    SHA256

    1c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb

    SHA512

    dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    78KB

    MD5

    02329f96ab9ff4b04a08a2766605b63a

    SHA1

    988fc4dbd1f74f31c019ac70024eae243e9787c2

    SHA256

    1c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb

    SHA512

    dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    78KB

    MD5

    02329f96ab9ff4b04a08a2766605b63a

    SHA1

    988fc4dbd1f74f31c019ac70024eae243e9787c2

    SHA256

    1c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb

    SHA512

    dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160

    Download Submit

  • C:\Windows\Chrome.exe
    Filesize

    78KB

    MD5

    02329f96ab9ff4b04a08a2766605b63a

    SHA1

    988fc4dbd1f74f31c019ac70024eae243e9787c2

    SHA256

    1c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb

    SHA512

    dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160

    Download Submit

  • C:\Windows\Chrome.exe
    Filesize

    78KB

    MD5

    02329f96ab9ff4b04a08a2766605b63a

    SHA1

    988fc4dbd1f74f31c019ac70024eae243e9787c2

    SHA256

    1c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb

    SHA512

    dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160

    Download Submit

  • C:\Windows\directx.sys
    Filesize

    46B

    MD5

    4a4acd32aceb74f3bb94d561db309dcc

    SHA1

    39459b7563df4ef4f643a7afbc3dfc9de8909711

    SHA256

    2718ec016cb6d868bffa655e7fae1aa7c17405419c4e014acc5ece8e90290085

    SHA512

    49e41b126f663121b455911f880d7288f8fc943a715f217a5afeb99904de04a8b68524f7ca3fa9c02c8a6c19e5fc10bdf8ef7d7ed975f8e48a485a0e49145c44

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    64eb93f53a52d9e1ae26e4dee2b3a165

    SHA1

    f7d40ef03687619c00e8d267876ef8a2a9e692cf

    SHA256

    f005d859de5777c8dd71b697018d47eeab63134ad14e975226c0a192039c3430

    SHA512

    1004d46c82181ab0c5f4a3326082deb2b6d47907d6998f755e56a9b28c3baf93170c307c32d059ec1c742cbe1029f96a6d3cf635cba216c142e1d7dadde7a7d9

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    64eb93f53a52d9e1ae26e4dee2b3a165

    SHA1

    f7d40ef03687619c00e8d267876ef8a2a9e692cf

    SHA256

    f005d859de5777c8dd71b697018d47eeab63134ad14e975226c0a192039c3430

    SHA512

    1004d46c82181ab0c5f4a3326082deb2b6d47907d6998f755e56a9b28c3baf93170c307c32d059ec1c742cbe1029f96a6d3cf635cba216c142e1d7dadde7a7d9

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    64eb93f53a52d9e1ae26e4dee2b3a165

    SHA1

    f7d40ef03687619c00e8d267876ef8a2a9e692cf

    SHA256

    f005d859de5777c8dd71b697018d47eeab63134ad14e975226c0a192039c3430

    SHA512

    1004d46c82181ab0c5f4a3326082deb2b6d47907d6998f755e56a9b28c3baf93170c307c32d059ec1c742cbe1029f96a6d3cf635cba216c142e1d7dadde7a7d9

    Download Submit

  • C:\odt\OFFICE~1.EXE
    Filesize

    5.1MB

    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

    Download Submit

  • memory/3068-145-0x0000000000000000-mapping.dmp

    Download

  • memory/3196-149-0x0000000000000000-mapping.dmp

    Download

  • memory/3196-151-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3196-153-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4948-142-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4948-143-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4948-139-0x0000000000000000-mapping.dmp

    Download

  • memory/4948-152-0x0000000074840000-0x0000000074DF1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/5040-135-0x0000000000000000-mapping.dmp

    Download

  • memory/5100-132-0x0000000000000000-mapping.dmp

    Download