Overview

overview

10

Static

static

10

39908b6407...cd.exe

windows7-x64

10

39908b6407...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe

  • Size

    321KB

  • MD5

    4fcdbd9239fbeea3ecdae855601e8de2

  • SHA1

    a23903fc13d3c9d9e99b0146502b1f625db1d24a

  • SHA256

    39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd

  • SHA512

    6b6f5f243c5ce206e9679fdda767f0c955e9e7bbe04b2191fdd9e4cefcb2f7e39455dac45749f946b7691211087b6958fefe9013bcf598bf67ebc23bdb67d13c

  • SSDEEP

    6144:k9kAW12GhNB0vi2+XuX1ECuoZzMC8cOF3DqBLL/nAVQ:Pv2iNB0KlXumCuoZAC8cOF3D4L9

Score
10/10
neshtaevasionpersistencespyware

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe
    "C:\Users\Admin\AppData\Local\Temp\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Users\Admin\AppData\Local\Temp\3582-490\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Users\Admin\AppData\Local\Temp\Windows.exe
          C:\Users\Admin\AppData\Local\Temp\Windows.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3248
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            PID:1424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe
    Filesize

    280KB

    MD5

    84823c5b9d32a911ab73b944404db10b

    SHA1

    dbf16f73d3c50efdc2e51bd94604a0511e80b2b2

    SHA256

    14b6a43b74442f71a63b7bb043f3f0b884a0d7b7fb1c17d206baa180e8bdb41a

    SHA512

    31604acfdbc45448d432177494a4109da4738c568ab9576650321454d77d8551c9fa963adca924d80cfcbbb68dd03f4f4fd5914560ca4329be7d46f39ad5d573

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\39908b64078401f32938e6b792169deaa626bf6cb2551eb4026e5ec1a2b84fcd.exe
    Filesize

    280KB

    MD5

    84823c5b9d32a911ab73b944404db10b

    SHA1

    dbf16f73d3c50efdc2e51bd94604a0511e80b2b2

    SHA256

    14b6a43b74442f71a63b7bb043f3f0b884a0d7b7fb1c17d206baa180e8bdb41a

    SHA512

    31604acfdbc45448d432177494a4109da4738c568ab9576650321454d77d8551c9fa963adca924d80cfcbbb68dd03f4f4fd5914560ca4329be7d46f39ad5d573

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows.exe
    Filesize

    280KB

    MD5

    84823c5b9d32a911ab73b944404db10b

    SHA1

    dbf16f73d3c50efdc2e51bd94604a0511e80b2b2

    SHA256

    14b6a43b74442f71a63b7bb043f3f0b884a0d7b7fb1c17d206baa180e8bdb41a

    SHA512

    31604acfdbc45448d432177494a4109da4738c568ab9576650321454d77d8551c9fa963adca924d80cfcbbb68dd03f4f4fd5914560ca4329be7d46f39ad5d573

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Windows.exe
    Filesize

    280KB

    MD5

    84823c5b9d32a911ab73b944404db10b

    SHA1

    dbf16f73d3c50efdc2e51bd94604a0511e80b2b2

    SHA256

    14b6a43b74442f71a63b7bb043f3f0b884a0d7b7fb1c17d206baa180e8bdb41a

    SHA512

    31604acfdbc45448d432177494a4109da4738c568ab9576650321454d77d8551c9fa963adca924d80cfcbbb68dd03f4f4fd5914560ca4329be7d46f39ad5d573

    Download Submit
  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    221f616adca2fdccd10e65b547ea8bfb

    SHA1

    561476661e0a1b3bf25b0cbab97d4811bdf8cf30

    SHA256

    ab52d01e1842c5d62814618493c529597ca992a66f1fee4c74c17eccb458eda4

    SHA512

    c216f30ae383d85654c06f69c0d99eabb54ccd4c6221276cb8e1fd9ad2be31cf42b9b4c338f41f1fe3e0d9aca9e7580ab6522949dcfeaffc9de50e859d668303

    Download Submit
  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    221f616adca2fdccd10e65b547ea8bfb

    SHA1

    561476661e0a1b3bf25b0cbab97d4811bdf8cf30

    SHA256

    ab52d01e1842c5d62814618493c529597ca992a66f1fee4c74c17eccb458eda4

    SHA512

    c216f30ae383d85654c06f69c0d99eabb54ccd4c6221276cb8e1fd9ad2be31cf42b9b4c338f41f1fe3e0d9aca9e7580ab6522949dcfeaffc9de50e859d668303

    Download Submit
  • C:\odt\OFFICE~1.EXE
    Filesize

    5.1MB

    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

    Download Submit
  • memory/1424-143-0x0000000000000000-mapping.dmp
    Download
  • memory/3248-140-0x0000000000000000-mapping.dmp
    Download
  • memory/3248-144-0x0000000073FC0000-0x0000000074571000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3248-145-0x0000000073FC0000-0x0000000074571000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4112-135-0x0000000073FC0000-0x0000000074571000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4112-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4112-142-0x0000000073FC0000-0x0000000074571000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4604-136-0x0000000000000000-mapping.dmp
    Download