Analysis
-
max time kernel
109s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
28-11-2022 02:45
General
-
Target
7c0ed0f2b7cd99e442029ff585c21403e6745533cb0fb6e2e9c62e9bd86f9ef9.exe
-
Size
821KB
-
MD5
1a3b15a67092446a15258995e6fae3ac
-
SHA1
ce717a0d35b775fd868ab148d85f52227cd0de6e
-
SHA256
7c0ed0f2b7cd99e442029ff585c21403e6745533cb0fb6e2e9c62e9bd86f9ef9
-
SHA512
587670a19a76ab3417b6e00a3b2d8c2654fbdb0d3eb965fd48f775c5fa113ce36856a8dbdb2c74ad587d7454c4dde24b7fd92a85eb147862a2f19f34c7737d0e
-
SSDEEP
24576:WO2TlgLCI5LON9R4qXCd0mYESKoTGgiRYEW2oEds:WxlgR5aB46Cd15NiGNvWPEs
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
krasht235
Signatures
-
Detect Neshta payload 2 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Nirsoft 6 IoCs
-
Executes dropped EXE 6 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c0ed0f2b7cd99e442029ff585c21403e6745533cb0fb6e2e9c62e9bd86f9ef9.exe"C:\Users\Admin\AppData\Local\Temp\7c0ed0f2b7cd99e442029ff585c21403e6745533cb0fb6e2e9c62e9bd86f9ef9.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\123456.exe"C:\Users\Admin\AppData\Local\Temp\123456.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\123456.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\123456.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.txt4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exeC:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt4⤵
- Executes dropped EXE
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\450172 - êîïèÿ.ppsx" /ou ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
601KB
MD564d3550f20e3986282a28f0e82757822
SHA1798e6d38e70b7948174a28e11b08bfb5c319f684
SHA25693787b1a700dea1b62c4f184909d0b1b3b43be74e43f0e30cc1fd7244b3ac502
SHA5120648e21c4a06c88b658fc902e1a1419efc95378771682c174e6352e73ace142fcc17a2f287f410fcf911a8a4eae9c632db300de4c2152b6d050c7a0509f32c80
-
Filesize
601KB
MD564d3550f20e3986282a28f0e82757822
SHA1798e6d38e70b7948174a28e11b08bfb5c319f684
SHA25693787b1a700dea1b62c4f184909d0b1b3b43be74e43f0e30cc1fd7244b3ac502
SHA5120648e21c4a06c88b658fc902e1a1419efc95378771682c174e6352e73ace142fcc17a2f287f410fcf911a8a4eae9c632db300de4c2152b6d050c7a0509f32c80
-
Filesize
560KB
MD501db094c1297a144d27cb0ec83fe545b
SHA1ee4f87954cb0d736c0e880b9533eada0a84aaeaf
SHA25697770da61e3d0bc8ee29d32f560a7bd2ddd8003498395490f419fafba53f668a
SHA51222c8eaec0339eb896cf04b04fef6b2edcc4b05e03437e0864a9bdd23ef4b0ee7703c5b1681c9646a535103b5950f6bca302d34d18f331b98efbe49fb792997cf
-
Filesize
560KB
MD501db094c1297a144d27cb0ec83fe545b
SHA1ee4f87954cb0d736c0e880b9533eada0a84aaeaf
SHA25697770da61e3d0bc8ee29d32f560a7bd2ddd8003498395490f419fafba53f668a
SHA51222c8eaec0339eb896cf04b04fef6b2edcc4b05e03437e0864a9bdd23ef4b0ee7703c5b1681c9646a535103b5950f6bca302d34d18f331b98efbe49fb792997cf
-
Filesize
211KB
MD5bee6fc3b282724a6169bc84fafc75c61
SHA1ec922aad2bf73fde7ca4f419e1911a13a3192859
SHA2560fe15d409e35597610d1fad3d1cb246fc0a175a3c4d1241b40a4d7a1046bb7f8
SHA5124f36f195b1dc9fd0b3959c802a9ffc9b63d45541016a7d0c4e02dcf742c6aa33cb72b97b7810d7728080eaa8f9c46d7de3facfb82be7ed27e71f0cc8394fddd4
-
Filesize
70KB
MD5398f515c4d202d9c9c1f884ac50bc72c
SHA1ae86b2bb9323345a228b92fdb518e268f4a7b54d
SHA256675692ae37f1ad32cc1c35e724331112e0701b41d3b2107457f6a2c994f38103
SHA512f116731bac5c4e888ea45498984d81a097999cdff76d284bbb79470889726c2d765813c4b09169e02da63ce2fa7ee745dd7aeb60baae704cd3ef9ca8a55018a0
-
Filesize
70KB
MD5398f515c4d202d9c9c1f884ac50bc72c
SHA1ae86b2bb9323345a228b92fdb518e268f4a7b54d
SHA256675692ae37f1ad32cc1c35e724331112e0701b41d3b2107457f6a2c994f38103
SHA512f116731bac5c4e888ea45498984d81a097999cdff76d284bbb79470889726c2d765813c4b09169e02da63ce2fa7ee745dd7aeb60baae704cd3ef9ca8a55018a0
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
43KB
MD5c861fe184e271d6e2ba958da306ba748
SHA1b039e4d8e70261dfdf8ee521dcbc3e04348423a5
SHA256f8a112b0d1ce4142e4d69cadfc2748c27026b491532fba18d9160f7eb48b4886
SHA512ea127eaa149b5ff1b1f1de3891563b2e064e043f03e48ca298d3539e1f572297abd4efd951021372ba0090b8c30c06e7d144bec6d9828a5cc08a644155a8f3ce
-
Filesize
43KB
MD5c861fe184e271d6e2ba958da306ba748
SHA1b039e4d8e70261dfdf8ee521dcbc3e04348423a5
SHA256f8a112b0d1ce4142e4d69cadfc2748c27026b491532fba18d9160f7eb48b4886
SHA512ea127eaa149b5ff1b1f1de3891563b2e064e043f03e48ca298d3539e1f572297abd4efd951021372ba0090b8c30c06e7d144bec6d9828a5cc08a644155a8f3ce
-
Filesize
214KB
MD57b641e136f446860c48a3a870523249f
SHA1f55465c1581b8cc1a012d3b7d8504c55e8e66e1c
SHA2564cd6ed20baffc008b69642cd4687249fa0568c8bb8e29ce601ab6fef8a667382
SHA512fd6f09775539e77e83927585d8a3ef230399be5bd0798f073e925113faf219225145df230fc0d232c8c6d1f0ec28936b7ac593dcb25f72796310f117811bd09b
-
Filesize
214KB
MD57b641e136f446860c48a3a870523249f
SHA1f55465c1581b8cc1a012d3b7d8504c55e8e66e1c
SHA2564cd6ed20baffc008b69642cd4687249fa0568c8bb8e29ce601ab6fef8a667382
SHA512fd6f09775539e77e83927585d8a3ef230399be5bd0798f073e925113faf219225145df230fc0d232c8c6d1f0ec28936b7ac593dcb25f72796310f117811bd09b
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
39KB
MD58b4ae559ad7836b27ee9f8f171be8139
SHA1c60ddcfc7b3954f4d0d515b1fdaf47c6999e50a4
SHA2561130504f6095d2b09fb1ad39323ab9448798b41eb925539e2128160cec106609
SHA512df13ae1aa3b481d1a819736af6dbf5fea5c930a1fe18ea0368a0d2efbe20334626dd90b42757bf8ef080f229e502c97cd6f5173738bc4967e26a04aee61c040b
-
Filesize
39KB
MD58b4ae559ad7836b27ee9f8f171be8139
SHA1c60ddcfc7b3954f4d0d515b1fdaf47c6999e50a4
SHA2561130504f6095d2b09fb1ad39323ab9448798b41eb925539e2128160cec106609
SHA512df13ae1aa3b481d1a819736af6dbf5fea5c930a1fe18ea0368a0d2efbe20334626dd90b42757bf8ef080f229e502c97cd6f5173738bc4967e26a04aee61c040b
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
-
Filesize
40KB
-
Filesize
592KB
-
Filesize
344KB
-
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
-
-
Filesize
100KB
-