Analysis

  • max time kernel
    134s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 02:39

General

  • Target

    383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe

  • Size

    733KB

  • MD5

    18e67930a20cde9e27ac3169615b8abc

  • SHA1

    8c36f92233be12440c62aa71b47b8f92fe4eec7e

  • SHA256

    383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f

  • SHA512

    431339f98539e75e97745a1efbdc194156f331821ba62f95961b4ea8b1906f31459b4fe96cdca249115a51a0003bd8d22db51ded29775f4a3894b05f88c1f031

  • SSDEEP

    12288:qhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aTA25b8jyrSG:qRmJkcoQricOIQxiZY1iaTA2pJB

Malware Config

Signatures

  • Detect Neshta payload 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe
    "C:\Users\Admin\AppData\Local\Temp\383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe
      "C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:960
    • C:\Users\Admin\AppData\Local\Temp\conhost.exe
      "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
      2⤵
      • Executes dropped EXE
      PID:1540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe

    Filesize

    644KB

    MD5

    a81137304bc201ac1b9a557675f68168

    SHA1

    6e3a1e82ff71821e0663ff3211c713f9ce166dd2

    SHA256

    4b4d14f262bddbd4ef91519694a813e0d640d13ef3122ecf6aae2a0c12d8ba86

    SHA512

    2bab7eb32599beee8995e1a901c4de327eac770b8bb7a7656658d31b5ab061f4d0bdae160975199246aac92b99e2683c0879649cc7cad9b1d59bdc338b9d68ec

  • C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe

    Filesize

    685KB

    MD5

    db26308a86da5a41d83b67e96a2293b7

    SHA1

    316760d73b2145d80d93cf754cc33ddeb2f3d439

    SHA256

    b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a

    SHA512

    12854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3

  • C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe

    Filesize

    685KB

    MD5

    db26308a86da5a41d83b67e96a2293b7

    SHA1

    316760d73b2145d80d93cf754cc33ddeb2f3d439

    SHA256

    b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a

    SHA512

    12854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe

    Filesize

    29KB

    MD5

    f322709921ddf81c7ef639e8c53862ca

    SHA1

    9c2506c58e39d322a5fa2473ec9ec61f7ded5dd4

    SHA256

    ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858

    SHA512

    e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe

    Filesize

    29KB

    MD5

    f322709921ddf81c7ef639e8c53862ca

    SHA1

    9c2506c58e39d322a5fa2473ec9ec61f7ded5dd4

    SHA256

    ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858

    SHA512

    e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe

    Filesize

    644KB

    MD5

    a81137304bc201ac1b9a557675f68168

    SHA1

    6e3a1e82ff71821e0663ff3211c713f9ce166dd2

    SHA256

    4b4d14f262bddbd4ef91519694a813e0d640d13ef3122ecf6aae2a0c12d8ba86

    SHA512

    2bab7eb32599beee8995e1a901c4de327eac770b8bb7a7656658d31b5ab061f4d0bdae160975199246aac92b99e2683c0879649cc7cad9b1d59bdc338b9d68ec

  • \Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe

    Filesize

    685KB

    MD5

    db26308a86da5a41d83b67e96a2293b7

    SHA1

    316760d73b2145d80d93cf754cc33ddeb2f3d439

    SHA256

    b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a

    SHA512

    12854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3

  • \Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe

    Filesize

    685KB

    MD5

    db26308a86da5a41d83b67e96a2293b7

    SHA1

    316760d73b2145d80d93cf754cc33ddeb2f3d439

    SHA256

    b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a

    SHA512

    12854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3

  • \Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe

    Filesize

    685KB

    MD5

    db26308a86da5a41d83b67e96a2293b7

    SHA1

    316760d73b2145d80d93cf754cc33ddeb2f3d439

    SHA256

    b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a

    SHA512

    12854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3

  • \Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe

    Filesize

    685KB

    MD5

    db26308a86da5a41d83b67e96a2293b7

    SHA1

    316760d73b2145d80d93cf754cc33ddeb2f3d439

    SHA256

    b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a

    SHA512

    12854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3

  • \Users\Admin\AppData\Local\Temp\conhost.exe

    Filesize

    29KB

    MD5

    f322709921ddf81c7ef639e8c53862ca

    SHA1

    9c2506c58e39d322a5fa2473ec9ec61f7ded5dd4

    SHA256

    ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858

    SHA512

    e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0

  • \Users\Admin\AppData\Local\Temp\conhost.exe

    Filesize

    29KB

    MD5

    f322709921ddf81c7ef639e8c53862ca

    SHA1

    9c2506c58e39d322a5fa2473ec9ec61f7ded5dd4

    SHA256

    ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858

    SHA512

    e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0

  • \Users\Admin\AppData\Local\Temp\conhost.exe

    Filesize

    29KB

    MD5

    f322709921ddf81c7ef639e8c53862ca

    SHA1

    9c2506c58e39d322a5fa2473ec9ec61f7ded5dd4

    SHA256

    ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858

    SHA512

    e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0

  • \Users\Admin\AppData\Local\Temp\conhost.exe

    Filesize

    29KB

    MD5

    f322709921ddf81c7ef639e8c53862ca

    SHA1

    9c2506c58e39d322a5fa2473ec9ec61f7ded5dd4

    SHA256

    ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858

    SHA512

    e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0

  • memory/1540-74-0x000007FEF4230000-0x000007FEF4C53000-memory.dmp

    Filesize

    10.1MB

  • memory/1540-76-0x000007FEF2DC0000-0x000007FEF3E56000-memory.dmp

    Filesize

    16.6MB

  • memory/1540-78-0x0000000001F86000-0x0000000001FA5000-memory.dmp

    Filesize

    124KB

  • memory/1896-54-0x0000000075201000-0x0000000075203000-memory.dmp

    Filesize

    8KB