Overview

overview

10

Static

static

9960c74d88...17.exe

windows7-x64

10

9960c74d88...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 00:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

  • Size

    286KB

  • MD5

    a1ef5994415011741f255876abdc1274

  • SHA1

    810212f961045c847dbe211f842fe66376542d0a

  • SHA256

    9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17

  • SHA512

    9992759c6283c46a81c3f5ceb1b44388b4d3eb8ceb1d3a2552aee62c6c29cb2c7d4113344d2f28562a63eb7a4d287e8585532b3cacc1b55921221a71bd6aefd3

  • SSDEEP

    6144:byH7xOc6H5c6HcT66vlmrYWZ8B726xfLq0XLoUePSeqBlJusyH7xOc6H5c6HcT6I:banWZclq0XbePSra+ePSK

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
    "C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
        "C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
        3⤵
        • Modifies system executable filetype association
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5044
        • C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
          "C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:4740
          • C:\Windows\svchost.exe
            "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
            5⤵
            • Executes dropped EXE
            PID:3480
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
    Filesize

    210KB

    MD5

    52fb8a7cabc51e581a1856d13837ec10

    SHA1

    a5781121a57f838ce5e0864585d7649b30aa4dc5

    SHA256

    c0c120236f6e9344dd49284b7b7849ad8ead9918d683d6fd55896a9491cf7c74

    SHA512

    523fc8f020254bae1ed407228821c4a7d62b12a5b5e42f583a76e09fad53b52df0fbc4244ab5c111e0af42e969ea76b1f2e7b7c300484101a6576112d903b6ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
    Filesize

    210KB

    MD5

    52fb8a7cabc51e581a1856d13837ec10

    SHA1

    a5781121a57f838ce5e0864585d7649b30aa4dc5

    SHA256

    c0c120236f6e9344dd49284b7b7849ad8ead9918d683d6fd55896a9491cf7c74

    SHA512

    523fc8f020254bae1ed407228821c4a7d62b12a5b5e42f583a76e09fad53b52df0fbc4244ab5c111e0af42e969ea76b1f2e7b7c300484101a6576112d903b6ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
    Filesize

    251KB

    MD5

    7a96a74c14af7f295da07f8bb9959d1f

    SHA1

    943c0fb97807ee90cda3f298bf978b5026151403

    SHA256

    a51763c664b34d67281c24c1a56f2cf4dc727e90a6826d506ae96bf88f7f3bf9

    SHA512

    6968b454d2a4978e95fae715614167443f420fcecaacbcde378e41f619adac98ddff8d8708413e190221be5bb585a13c46d36bd8ab214772c6f428fa5aadeae2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
    Filesize

    251KB

    MD5

    7a96a74c14af7f295da07f8bb9959d1f

    SHA1

    943c0fb97807ee90cda3f298bf978b5026151403

    SHA256

    a51763c664b34d67281c24c1a56f2cf4dc727e90a6826d506ae96bf88f7f3bf9

    SHA512

    6968b454d2a4978e95fae715614167443f420fcecaacbcde378e41f619adac98ddff8d8708413e190221be5bb585a13c46d36bd8ab214772c6f428fa5aadeae2

    Download Submit
  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit
  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit
  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit
  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit
  • memory/3392-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3480-142-0x0000000000000000-mapping.dmp
    Download
  • memory/4740-139-0x0000000000000000-mapping.dmp
    Download
  • memory/5044-135-0x0000000000000000-mapping.dmp
    Download