Overview

overview

10

Static

static

fb011da84d...4d.exe

windows7-x64

10

fb011da84d...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb011da84d2d5b2c34db541a123740541b475473372f34c3a089a868c917ab4d.exe

  • Size

    357KB

  • MD5

    6bf7f042a995443f9c0204f536a0b357

  • SHA1

    791aba517575efe40ef456b4c07841e1ece3a98a

  • SHA256

    fb011da84d2d5b2c34db541a123740541b475473372f34c3a089a868c917ab4d

  • SHA512

    a1d739a08bd521ee599596d8121eb7c4e345a68a78334c3117a43b68dfeb8c95087dec479468018813ed9042368748cc651cf8027c037b8f69c942da8a089a44

  • SSDEEP

    6144:g0ml6Qq/6mHztA93ZhbpmI0i3jraPUOV5bYsTar0vZ9fcvAHfJyFQq/CN:S0j2XpKPx1o0vYqJqKN

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 22 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb011da84d2d5b2c34db541a123740541b475473372f34c3a089a868c917ab4d.exe
    "C:\Users\Admin\AppData\Local\Temp\fb011da84d2d5b2c34db541a123740541b475473372f34c3a089a868c917ab4d.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Users\Admin\AppData\Local\Temp\BOSS.Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\BOSS.Installer.exe"
      2⤵
      • Executes dropped EXE
      PID:2584
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:112
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\server.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4124
        • C:\Users\Admin\AppData\Local\Temp\3582-490\server.exe
          C:\Users\Admin\AppData\Local\Temp\3582-490\server.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:3568

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
    Filesize

    328KB

    MD5

    39c8a4c2c3984b64b701b85cb724533b

    SHA1

    c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

    SHA256

    888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

    SHA512

    f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

    Download Submit

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
    Filesize

    92KB

    MD5

    176436d406fd1aabebae353963b3ebcf

    SHA1

    9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

    SHA256

    2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

    SHA512

    a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

    Download Submit

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
    Filesize

    147KB

    MD5

    3b35b268659965ab93b6ee42f8193395

    SHA1

    8faefc346e99c9b2488f2414234c9e4740b96d88

    SHA256

    750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

    SHA512

    035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

    Download Submit

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
    Filesize

    278KB

    MD5

    12c29dd57aa69f45ddd2e47620e0a8d9

    SHA1

    ba297aa3fe237ca916257bc46370b360a2db2223

    SHA256

    22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

    SHA512

    255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

    Download Submit

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE
    Filesize

    179KB

    MD5

    c3faf2d052b6f1d2a4950004278e5e76

    SHA1

    f58531434952cc7ba2c9f55b4ad03beec9cd1ffb

    SHA256

    9507ade9fdc6a4195cbb1fc18864d4f9feaee0079183b12215f58a3d31b027fe

    SHA512

    70510254cde82024a86e4053e72afe523674efea79346e10beed328070b522940d1dd01dff5c19da23100c734d7edf77e762702535e2c58bc2952557dac38a0f

    Download Submit

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE
    Filesize

    285KB

    MD5

    fab69bd8ce4878fe7db435f8708d8aa5

    SHA1

    5f57a48b198161d84a8b64b3611b5250bec2d818

    SHA256

    171ee72970045068e62105231ae2dba43b7e8e6ad52c69703152c61747aa702f

    SHA512

    8fdc5c5b0fa585484816537cdd5e6406204e899f8bfbb1e86ef38b001233145e7d64299a7f1c34a5485b44e04abbedce56380409b4e0c3e0385f3db9fefd0d26

    Download Submit

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
    Filesize

    1.3MB

    MD5

    27543bab17420af611ccc3029db9465a

    SHA1

    f0f96fd53f9695737a3fa6145bc5a6ce58227966

    SHA256

    75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c

    SHA512

    a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

    Download Submit

  • C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
    Filesize

    494KB

    MD5

    05bdfd8a3128ab14d96818f43ebe9c0e

    SHA1

    495cbbd020391e05d11c52aa23bdae7b89532eb7

    SHA256

    7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

    SHA512

    8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

    Download Submit

  • C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
    Filesize

    6.7MB

    MD5

    63dc05e27a0b43bf25f151751b481b8c

    SHA1

    b20321483dac62bce0aa0cef1d193d247747e189

    SHA256

    7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

    SHA512

    374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
    Filesize

    485KB

    MD5

    86749cd13537a694795be5d87ef7106d

    SHA1

    538030845680a8be8219618daee29e368dc1e06c

    SHA256

    8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

    SHA512

    7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
    Filesize

    714KB

    MD5

    af347c1ed4c9439b511585d607aa7a81

    SHA1

    5bccf29c6de8d1e005450f84d8e0ea597d290329

    SHA256

    94626f607c789acc73135c18be6fd93a9e56e839d4739dfebf45ce03d55386b9

    SHA512

    f314ad43f0af94f1178fb40a503c869c2a51ef04f78ee59b8236ca886c01ab7f50b4eb322cf16cbb7fde7015bc926b08df6ef50828c09178da82f2b5d512a5c1

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
    Filesize

    715KB

    MD5

    f34835c1f458f93cd9041bfa7d01ee7d

    SHA1

    283ac4059492a22e10f7fcef219e52e0400a8926

    SHA256

    afc5cc567db1a3318c89dd0efad2ca60a353290bc25d98bbbba8e6f1492e23b1

    SHA512

    d5cc2244f1b6492dd9e66c6e917c2dfaa11376d4a8d1dea2c241cd35ce947ad919e47d1a78dea0c1f6cd6fa1e74426f806ddcf9ed3e8f25a9ae7c370b09e6857

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
    Filesize

    536KB

    MD5

    bcb5db16e576464d3d8d93e1907bf946

    SHA1

    b10f3c3dc4baef4655ae2c30543be9d3c40b9781

    SHA256

    24c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0

    SHA512

    c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    Filesize

    485KB

    MD5

    87f15006aea3b4433e226882a56f188d

    SHA1

    e3ad6beb8229af62b0824151dbf546c0506d4f65

    SHA256

    8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

    SHA512

    b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    Filesize

    495KB

    MD5

    cbb4d1de101a08feca8d9cdc7974aa1f

    SHA1

    922c3250ac729ce70e5a9193809857e111e4bf13

    SHA256

    b19918294f009ebe507352cb24ad979116458ba036f6740d578a826ee322108a

    SHA512

    ba7f7fcf56b6771db5d6891771ae2153b5cacf7fe267e161fca829982aa52a5990b63ae1743ea77a895bbf22bf6b3c6f0f238c7b3d6c2db5c506faf68346f944

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\server.exe
    Filesize

    60KB

    MD5

    a4aaf19df5761408f6d0035838a413ef

    SHA1

    d2edde3476d508f64977fdabb6052bf3a6884f65

    SHA256

    b5301a092b889bf7f8dff2f14fc746c48b62ec46e99842eff7748048ac1f32fa

    SHA512

    7ca77c3c86a95c770759fb129a1c18726f1c186bc9543b12b97c36b829cad55325243d491845809e240d6ab4a75b29462a918e9f48eafd73e8a37b5ce82657b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\server.exe
    Filesize

    60KB

    MD5

    a4aaf19df5761408f6d0035838a413ef

    SHA1

    d2edde3476d508f64977fdabb6052bf3a6884f65

    SHA256

    b5301a092b889bf7f8dff2f14fc746c48b62ec46e99842eff7748048ac1f32fa

    SHA512

    7ca77c3c86a95c770759fb129a1c18726f1c186bc9543b12b97c36b829cad55325243d491845809e240d6ab4a75b29462a918e9f48eafd73e8a37b5ce82657b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
    Filesize

    499KB

    MD5

    82be02f0171ee399086267c639e729b9

    SHA1

    10652743ae17360ad5556ea6dc0829388bfadfc2

    SHA256

    3cf36717b14d321414fb4f0c9bf864ae39328fc8ddc94410c7660054e927d34e

    SHA512

    f150ef1ad0c670a052a0cfbef70445e673696f0767e9ce5047051e6adccaf1ce30039a8ee8147aa8b820e02b784cfd68f2ee1823907e225bd7b518d167117a46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BOSS.Installer.exe
    Filesize

    8KB

    MD5

    03d50171bffb274fc20ed2cfe4cb979a

    SHA1

    814ee88831b4423e5cce826db38499b73816af8c

    SHA256

    1311d08b756af45b34adacd29e86d6c3ebf73be1656b6255b49dccc9b19ccd4f

    SHA512

    697f89b41cf689a73060477ae3599955f40de7f0780d8809fca6e5e1745d471960faaf961abeb31af96eaa712fb9f6f323bcde103f0143a66a5cd08d21bdbfca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BOSS.Installer.exe
    Filesize

    8KB

    MD5

    03d50171bffb274fc20ed2cfe4cb979a

    SHA1

    814ee88831b4423e5cce826db38499b73816af8c

    SHA256

    1311d08b756af45b34adacd29e86d6c3ebf73be1656b6255b49dccc9b19ccd4f

    SHA512

    697f89b41cf689a73060477ae3599955f40de7f0780d8809fca6e5e1745d471960faaf961abeb31af96eaa712fb9f6f323bcde103f0143a66a5cd08d21bdbfca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    100KB

    MD5

    a13cb7edc9e0666de3ef9bf90460db6c

    SHA1

    5ffc51da527357071a404e49e5556d88a4ff3272

    SHA256

    2dd6f3a4a97767734a3fd6434ba334b5cda6de023a8f92ff039c3b113f0a52da

    SHA512

    3af3e9d26f775a25c27b539b35c7a85a8009ff01c05aa081668a795b979147c49438247a079499768f3ffaa86164c5e2ca37e9f3add19dd5f067e77ad0dd41b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    100KB

    MD5

    a13cb7edc9e0666de3ef9bf90460db6c

    SHA1

    5ffc51da527357071a404e49e5556d88a4ff3272

    SHA256

    2dd6f3a4a97767734a3fd6434ba334b5cda6de023a8f92ff039c3b113f0a52da

    SHA512

    3af3e9d26f775a25c27b539b35c7a85a8009ff01c05aa081668a795b979147c49438247a079499768f3ffaa86164c5e2ca37e9f3add19dd5f067e77ad0dd41b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    540KB

    MD5

    be42b245545f1df1a688cff8ad8e5d93

    SHA1

    431af3f2655e3061400f905e4e12e0ef7b5da0a9

    SHA256

    ff0509c47915e7bd8992910eb2caf9bbba51821fc9c7e266f379f52115c2f6f3

    SHA512

    c7c721df24978fc8bcf20eb0c4254239c83a7129d7c8530831b74a56404251235ac033f9faf70f8d496c1546f13531050d58fd66cb3f1390bf7ec084c01c4153

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    540KB

    MD5

    be42b245545f1df1a688cff8ad8e5d93

    SHA1

    431af3f2655e3061400f905e4e12e0ef7b5da0a9

    SHA256

    ff0509c47915e7bd8992910eb2caf9bbba51821fc9c7e266f379f52115c2f6f3

    SHA512

    c7c721df24978fc8bcf20eb0c4254239c83a7129d7c8530831b74a56404251235ac033f9faf70f8d496c1546f13531050d58fd66cb3f1390bf7ec084c01c4153

    Download Submit

  • C:\Windows\directx.sys
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    6553b54fc67ecaa29477dd24facb8c79

    SHA1

    2f5f18aa8af1883690db876f35e0ea7c75a247f6

    SHA256

    e77d24502ba20a8ad96ac60543eb4ba5b71ab5f17d7acdeab2a2e5611f67c0d3

    SHA512

    fd7d94cbb5525286bcaab6dd75256414c9228ff4e4fa6b7c15d16bb155cd227ac79cdbf6e36c9330ac98f8a4542225c2e8b5ee06ae6dd21fccd512f1799982a6

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    6553b54fc67ecaa29477dd24facb8c79

    SHA1

    2f5f18aa8af1883690db876f35e0ea7c75a247f6

    SHA256

    e77d24502ba20a8ad96ac60543eb4ba5b71ab5f17d7acdeab2a2e5611f67c0d3

    SHA512

    fd7d94cbb5525286bcaab6dd75256414c9228ff4e4fa6b7c15d16bb155cd227ac79cdbf6e36c9330ac98f8a4542225c2e8b5ee06ae6dd21fccd512f1799982a6

    Download Submit

  • C:\odt\OFFICE~1.EXE
    Filesize

    5.1MB

    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

    Download Submit

  • memory/112-135-0x0000000000000000-mapping.dmp

    Download

  • memory/2584-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3568-146-0x0000000000000000-mapping.dmp

    Download

  • memory/3752-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4124-142-0x0000000000000000-mapping.dmp

    Download