Overview

overview

10

Static

static

10

0651eb36fb...11.exe

windows7-x64

10

0651eb36fb...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

  • Size

    601KB

  • MD5

    679e100f630ae3a79e1750bc15498ad5

  • SHA1

    aeaead2657d304f8f7ec278da9e202764889dcdf

  • SHA256

    0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11

  • SHA512

    b567c93b679aeb3b578a7c861294cead35c685ef0df8ecab7d50d17db3615d81008520ad26748720d494c291ea5c8f2d839f0fbe667001af46ea0e2d0a82f13c

  • SSDEEP

    12288:H9OczTX1g+ACjgJ5Q+ON9R4qeACjdXE1cVKB/5EJz6L/tIoTGgsV:dO2TlgLCI5LON9R4qXCd0mYESKoTGgsV

Score
10/10
neshtapersistencespywarestealerupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Churbanka55555999

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Nirsoft 6 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
    "C:\Users\Admin\AppData\Local\Temp\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt
        3⤵
        • Executes dropped EXE
        PID:4520
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.txt
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3684
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt
        3⤵
        • Executes dropped EXE
        PID:3884
      • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe
        C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt
        3⤵
        • Executes dropped EXE
        PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
    Filesize

    560KB

    MD5

    e95ff676f76ae2b026a26621e70f8038

    SHA1

    c7e3d234f2c90ba00e69ed4ef6f7c74fa5b02fac

    SHA256

    61f7acc6d2255e2d90768c9dd4be2e014511727024792b9c8e0f161c2f6cba30

    SHA512

    f3416af401bed063a267c1997aee9e55a1f4603db4e2dfa53db20e90e4e76b21dc3180a0ac8d2f5a1441ba11341b286d56ddfa6ff8fa04a61130a1ded0f19e89

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
    Filesize

    560KB

    MD5

    e95ff676f76ae2b026a26621e70f8038

    SHA1

    c7e3d234f2c90ba00e69ed4ef6f7c74fa5b02fac

    SHA256

    61f7acc6d2255e2d90768c9dd4be2e014511727024792b9c8e0f161c2f6cba30

    SHA512

    f3416af401bed063a267c1997aee9e55a1f4603db4e2dfa53db20e90e4e76b21dc3180a0ac8d2f5a1441ba11341b286d56ddfa6ff8fa04a61130a1ded0f19e89

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe
    Filesize

    70KB

    MD5

    398f515c4d202d9c9c1f884ac50bc72c

    SHA1

    ae86b2bb9323345a228b92fdb518e268f4a7b54d

    SHA256

    675692ae37f1ad32cc1c35e724331112e0701b41d3b2107457f6a2c994f38103

    SHA512

    f116731bac5c4e888ea45498984d81a097999cdff76d284bbb79470889726c2d765813c4b09169e02da63ce2fa7ee745dd7aeb60baae704cd3ef9ca8a55018a0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe
    Filesize

    70KB

    MD5

    398f515c4d202d9c9c1f884ac50bc72c

    SHA1

    ae86b2bb9323345a228b92fdb518e268f4a7b54d

    SHA256

    675692ae37f1ad32cc1c35e724331112e0701b41d3b2107457f6a2c994f38103

    SHA512

    f116731bac5c4e888ea45498984d81a097999cdff76d284bbb79470889726c2d765813c4b09169e02da63ce2fa7ee745dd7aeb60baae704cd3ef9ca8a55018a0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe
    Filesize

    43KB

    MD5

    c861fe184e271d6e2ba958da306ba748

    SHA1

    b039e4d8e70261dfdf8ee521dcbc3e04348423a5

    SHA256

    f8a112b0d1ce4142e4d69cadfc2748c27026b491532fba18d9160f7eb48b4886

    SHA512

    ea127eaa149b5ff1b1f1de3891563b2e064e043f03e48ca298d3539e1f572297abd4efd951021372ba0090b8c30c06e7d144bec6d9828a5cc08a644155a8f3ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe
    Filesize

    43KB

    MD5

    c861fe184e271d6e2ba958da306ba748

    SHA1

    b039e4d8e70261dfdf8ee521dcbc3e04348423a5

    SHA256

    f8a112b0d1ce4142e4d69cadfc2748c27026b491532fba18d9160f7eb48b4886

    SHA512

    ea127eaa149b5ff1b1f1de3891563b2e064e043f03e48ca298d3539e1f572297abd4efd951021372ba0090b8c30c06e7d144bec6d9828a5cc08a644155a8f3ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe
    Filesize

    214KB

    MD5

    7b641e136f446860c48a3a870523249f

    SHA1

    f55465c1581b8cc1a012d3b7d8504c55e8e66e1c

    SHA256

    4cd6ed20baffc008b69642cd4687249fa0568c8bb8e29ce601ab6fef8a667382

    SHA512

    fd6f09775539e77e83927585d8a3ef230399be5bd0798f073e925113faf219225145df230fc0d232c8c6d1f0ec28936b7ac593dcb25f72796310f117811bd09b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe
    Filesize

    214KB

    MD5

    7b641e136f446860c48a3a870523249f

    SHA1

    f55465c1581b8cc1a012d3b7d8504c55e8e66e1c

    SHA256

    4cd6ed20baffc008b69642cd4687249fa0568c8bb8e29ce601ab6fef8a667382

    SHA512

    fd6f09775539e77e83927585d8a3ef230399be5bd0798f073e925113faf219225145df230fc0d232c8c6d1f0ec28936b7ac593dcb25f72796310f117811bd09b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe
    Filesize

    39KB

    MD5

    8b4ae559ad7836b27ee9f8f171be8139

    SHA1

    c60ddcfc7b3954f4d0d515b1fdaf47c6999e50a4

    SHA256

    1130504f6095d2b09fb1ad39323ab9448798b41eb925539e2128160cec106609

    SHA512

    df13ae1aa3b481d1a819736af6dbf5fea5c930a1fe18ea0368a0d2efbe20334626dd90b42757bf8ef080f229e502c97cd6f5173738bc4967e26a04aee61c040b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe
    Filesize

    39KB

    MD5

    8b4ae559ad7836b27ee9f8f171be8139

    SHA1

    c60ddcfc7b3954f4d0d515b1fdaf47c6999e50a4

    SHA256

    1130504f6095d2b09fb1ad39323ab9448798b41eb925539e2128160cec106609

    SHA512

    df13ae1aa3b481d1a819736af6dbf5fea5c930a1fe18ea0368a0d2efbe20334626dd90b42757bf8ef080f229e502c97cd6f5173738bc4967e26a04aee61c040b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • memory/1060-157-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1060-153-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-137-0x0000000006130000-0x00000000066D4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1672-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-135-0x0000000000D20000-0x0000000000DB4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/1672-136-0x0000000005AE0000-0x0000000005B7C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1672-140-0x0000000005D30000-0x0000000005D86000-memory.dmp
    Filesize

    344KB

    Download
  • memory/1672-138-0x0000000005B80000-0x0000000005C12000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1672-139-0x0000000005A50000-0x0000000005A5A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3684-148-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/3684-145-0x0000000000000000-mapping.dmp
    Download
  • memory/3884-149-0x0000000000000000-mapping.dmp
    Download
  • memory/4520-141-0x0000000000000000-mapping.dmp
    Download