Analysis

  • max time kernel
    174s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 13:53

General

  • Target

    49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b.exe

  • Size

    512KB

  • MD5

    0aa930b2c75d750c9563f3fd75ea0af2

  • SHA1

    a6603c67e138bcfdba140f976b1f58f041dd28cd

  • SHA256

    49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b

  • SHA512

    ee101237e2336206570e9eb9848dc12796235b8d5f65df4432f2dd2b5d1d9d4e74d6b9dee1c7a5d9fb8c62b6a5d3181ca05763839e82543c1648aee78e5818ee

  • SSDEEP

    12288:kuL3gBYsCLrwCIBr0H1l5p19Yj0q692M576yR:k0wJgIBr0H1LpEb68qOyR

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b.exe
    "C:\Users\Admin\AppData\Local\Temp\49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Local\Temp\3582-490\49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:712

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b.exe

    Filesize

    472KB

    MD5

    40c7b03b56707e50796091d961fd4769

    SHA1

    b11a526d3d37be5c38e31a56ab762b9471957cca

    SHA256

    a37af8742908c5ae38851ed847431d12ad130363212e49835e2466c3bb8c0f79

    SHA512

    115a55a00b4901fc68f5084ff94d9bc9b0c97805f2ed3619616324adc59c6f8b05c27630a191cd9599ebd3c3a5696c5b5a49958923dde0f7f1cef7c4fcf9d67f

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b.exe

    Filesize

    472KB

    MD5

    40c7b03b56707e50796091d961fd4769

    SHA1

    b11a526d3d37be5c38e31a56ab762b9471957cca

    SHA256

    a37af8742908c5ae38851ed847431d12ad130363212e49835e2466c3bb8c0f79

    SHA512

    115a55a00b4901fc68f5084ff94d9bc9b0c97805f2ed3619616324adc59c6f8b05c27630a191cd9599ebd3c3a5696c5b5a49958923dde0f7f1cef7c4fcf9d67f

  • \Users\Admin\AppData\Local\Temp\3582-490\49fc600b09319b65b4148a2d7e308e7123945b0f3c206086405eea1962d3c81b.exe

    Filesize

    472KB

    MD5

    40c7b03b56707e50796091d961fd4769

    SHA1

    b11a526d3d37be5c38e31a56ab762b9471957cca

    SHA256

    a37af8742908c5ae38851ed847431d12ad130363212e49835e2466c3bb8c0f79

    SHA512

    115a55a00b4901fc68f5084ff94d9bc9b0c97805f2ed3619616324adc59c6f8b05c27630a191cd9599ebd3c3a5696c5b5a49958923dde0f7f1cef7c4fcf9d67f

  • memory/632-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

    Filesize

    8KB

  • memory/712-57-0x0000000000000000-mapping.dmp