Overview

overview

10

Static

static

5

f1d8e0d0c5...72.exe

windows7-x64

10

f1d8e0d0c5...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1d8e0d0c55bb9f7634ab68da59734683bf67ce8e5d108508b2feb90eea1cc72.exe

  • Size

    1.3MB

  • MD5

    b0975975d9c3819a7e13728556a5c549

  • SHA1

    3afb640f3143701ff53e5176eddda37aed5fb42e

  • SHA256

    f1d8e0d0c55bb9f7634ab68da59734683bf67ce8e5d108508b2feb90eea1cc72

  • SHA512

    93baab4cad7f9bbf80fdaf48ee96c1d659681543f7ffbb2e7d47a189727e8a098329a951855da440354f0d84d495124bb7ede44d45bd3bba3a12082f8ad2e7dc

  • SSDEEP

    24576:Dtb20pkaCqT5TBWgNQ7aDCMBalGKoBuQcR6A:AVg5tQ7aDC9glBu95

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Detect Neshta payload 20 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1d8e0d0c55bb9f7634ab68da59734683bf67ce8e5d108508b2feb90eea1cc72.exe
    "C:\Users\Admin\AppData\Local\Temp\f1d8e0d0c55bb9f7634ab68da59734683bf67ce8e5d108508b2feb90eea1cc72.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Users\Admin\AppData\Local\Temp\system.exe
      C:\Users\Admin\AppData\Local\Temp/system.exe
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe"
        3⤵
        • Executes dropped EXE
        PID:3684
    • C:\Users\Admin\AppData\Local\Temp\njRAT.exe
      C:\Users\Admin\AppData\Local\Temp/njRAT.exe
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Users\Admin\AppData\Local\Temp\3582-490\njRAT.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\njRAT.exe"
        3⤵
        • Executes dropped EXE
        PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
    Filesize

    175KB

    MD5

    576410de51e63c3b5442540c8fdacbee

    SHA1

    8de673b679e0fee6e460cbf4f21ab728e41e0973

    SHA256

    3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

    SHA512

    f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

    Download Submit
  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
    Filesize

    278KB

    MD5

    12c29dd57aa69f45ddd2e47620e0a8d9

    SHA1

    ba297aa3fe237ca916257bc46370b360a2db2223

    SHA256

    22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

    SHA512

    255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

    Download Submit
  • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
    Filesize

    1.2MB

    MD5

    8e42f3a4a399d84e67ed633ba23863cb

    SHA1

    02ebfa5274214dcc48acfd24b8da3fb5cb93f6c6

    SHA256

    42716ea8beca9e555cef3b78a2fbf836c9da034318d625262810290309d955db

    SHA512

    0f6af721a89c2cf7249ecb1cc0a263c6252f8762b7381b35ccff6347d7d069799d2f0561bec0a651d690fbf29c98050bf15b604d3cca668b7437503ba102492f

    Download Submit
  • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
    Filesize

    942KB

    MD5

    2d3cc5612a414f556f925a3c1cb6a1d6

    SHA1

    0fee45317280ed326e941cc2d0df848c4e74e894

    SHA256

    fe46de1265b6fe2e316aca33d7f7f45c6ffdf7c49a044b464fd9dc88ec92091b

    SHA512

    cc49b200adf92a915da6f9b73417543d4dcc77414e0c4bd2ce3bfdfc5d151e0b28249f8d64f6b7087cf8c3bab6aeeab5b152ac6199cb7cc63e64a66b4f03a9f5

    Download Submit
  • C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
    Filesize

    138KB

    MD5

    950000c930454e0c30644f13ed60e9c3

    SHA1

    5f6b06e8a02e1390e7499722b277135b4950723d

    SHA256

    09786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2

    SHA512

    22e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9

    Download Submit
  • C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
    Filesize

    258KB

    MD5

    f6986938846b42cf75f85626e8995d96

    SHA1

    f0b85ebc1e33f8f9a3a0daab4e4c29c71a05a563

    SHA256

    9eb949ed69c7765d485d2dbd3417b9041b6c5f218d733064b22eb15376f1f6a5

    SHA512

    7a9213bd887ec4014c1d64f338487b0c54b9e3f15c86fb7aa443f294e788c5103fbf8ceb419fa6d735dfda03d42bafb4a25b978615e28d6a5ad16e64d93026dd

    Download Submit
  • C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
    Filesize

    138KB

    MD5

    fafb18b930b2b05ac8c5ddb988e9062f

    SHA1

    825ea5069601fb875f8d050aa01300eac03d3826

    SHA256

    c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265

    SHA512

    be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54

    Download Submit
  • C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE
    Filesize

    326KB

    MD5

    09f0c144ff13cebc21267e71326324e7

    SHA1

    338ca67ba76427c48aace86ad68b780eb38a252d

    SHA256

    56977618a0fbd66c0ef0ca042290dfe464f4ad5b4b737a4b9db47631a7178f13

    SHA512

    126ed94d3efd7aa54b181ffe35be6dbe6aea1481eaf28f6f418a23717d052e3d53e49c1de8f7aa68120f9be9b84e965ab5ccf3b0f0a1b25de6321217d67e6284

    Download Submit
  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI391D~1.EXE
    Filesize

    179KB

    MD5

    0bfa2115af706dcea7d475e3eb004c1c

    SHA1

    2f74f2fd0c4ad5720ae1dd84cdd207052454628b

    SHA256

    5ee862cdc08b19ae4ffb61dc8da5636263efac09b8745f373f4a4e7895aebcfd

    SHA512

    55497097b37bddcc3ed1d32b56d64f0b4a025731269c4f8a13cacf59ecd0e09ef9abaf91b648eb1e8d7ef4f86e3eb325b21d0afb297486b7bd8a0356ff2a8024

    Download Submit
  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI9C33~1.EXE
    Filesize

    138KB

    MD5

    63c82beb1463dce7a483c55be865a459

    SHA1

    6e9b6eaa8c786b5c0821b06a1fcb6839a78e6015

    SHA256

    553409501c12b32dedc6a17ebf02cc1d55983a928fdc8fbf6a31d78e863f6411

    SHA512

    f12c5961a7fed390ef689a7d9d34aa894d756cc25a668cde6c3a8dfabc2e9e36d40b1ed19ade319fe1cde06d80acfda71b0bce489bc34a38302b099a82ceb71f

    Download Submit
  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MIA062~1.EXE
    Filesize

    1.6MB

    MD5

    0bcfe245079c83a937285aa7ded7446d

    SHA1

    b4f0cd79d6e6d6f5a19daffbcdffd1fe6c9b60a9

    SHA256

    c7adc2458f86c0daf89479cbc366d84232533d37c3c62404b880b683626e05cf

    SHA512

    5a28be60862cb7f6e78eada5c3b3a90c15931a100e4007405171842cc1dd6f633df2dfd0cdf64d27a9dafbf2b36e67fa9b368dccf13fa9dd57c28caebfef40a0

    Download Submit
  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~2.EXE
    Filesize

    290KB

    MD5

    aac9db8765ea0d04c6b2a208c1486194

    SHA1

    b4f6cb9d0a0234a8d5c33da994bb7c3a7a91164a

    SHA256

    c7cd6a8778f71f14a055746d2cfe5899c8a7c4cd7bc3bfd253ea2ed80be9d785

    SHA512

    43571220a9c9d820d6a0c3ea107f33c127e84afff5795e364c11300f74679edce71eab7941df8aaad8575df83b3ad03b465bc3b12506d98dad7a1288e19f0d72

    Download Submit
  • C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~3.EXE
    Filesize

    245KB

    MD5

    5b361db3478c5f8aed36232f1133fb09

    SHA1

    6036e596a20540fbbeb07ac568ed7c9c32134e1f

    SHA256

    2af3bfab1ca8fe8050d235432219987e19ece2f6e2afe40ffdbb0b07edd7eb79

    SHA512

    65019cde1cab8704c00e3123441e2742da6584d7f5b7bc0a55e6b063326f1c939e96f4acbca3ee1e3542cf36e9c42cc5bd0589fc7549af29f86e913b49691f9c

    Download Submit
  • C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe
    Filesize

    250KB

    MD5

    5d656c152b22ddd4f875306ca928243a

    SHA1

    177ff847aa898afa1b786077ae87b5ae0c7687c7

    SHA256

    4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

    SHA512

    d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

    Download Submit
  • C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
    Filesize

    279KB

    MD5

    f2056a3543ba9b6b6dde4346614b7f82

    SHA1

    139129616c3a9025a5cb16f9ad69018246bd9e2d

    SHA256

    2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

    SHA512

    e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\njRAT.exe
    Filesize

    938KB

    MD5

    8d6fccc76797e7d227c0a1fb44e9f7d5

    SHA1

    b04b30611aef6e4ecb8d97e1c4745dcc96dc868f

    SHA256

    7309e731ef25b10d418740a7338ca2ed4f4624ba02b6acd6194abd5add15976a

    SHA512

    597c9e242fbab438eabbff017c72cd18d467578bc41b41669149b6d66597dc7223b02c322d57951e471b93ed731e3a82ea30acebc59578ebf8861771736f88ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\njRAT.exe
    Filesize

    938KB

    MD5

    8d6fccc76797e7d227c0a1fb44e9f7d5

    SHA1

    b04b30611aef6e4ecb8d97e1c4745dcc96dc868f

    SHA256

    7309e731ef25b10d418740a7338ca2ed4f4624ba02b6acd6194abd5add15976a

    SHA512

    597c9e242fbab438eabbff017c72cd18d467578bc41b41669149b6d66597dc7223b02c322d57951e471b93ed731e3a82ea30acebc59578ebf8861771736f88ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe
    Filesize

    145KB

    MD5

    16a83869f3a5decb6f2308581d545602

    SHA1

    6601f4ec55351bded6fdd1986385e14e225bb2f8

    SHA256

    119a4e5167bd258dde45bd54bf7426886503e6e149549247aba2e357e380ac6b

    SHA512

    f7e03983e4567e94cec21bbb31a81fca645ed3cbef13b509a90ad011d56d2d22c79a05ce96dba392cdde068216628315ac2b8801e56c440eb35b3fa19102565a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe
    Filesize

    145KB

    MD5

    16a83869f3a5decb6f2308581d545602

    SHA1

    6601f4ec55351bded6fdd1986385e14e225bb2f8

    SHA256

    119a4e5167bd258dde45bd54bf7426886503e6e149549247aba2e357e380ac6b

    SHA512

    f7e03983e4567e94cec21bbb31a81fca645ed3cbef13b509a90ad011d56d2d22c79a05ce96dba392cdde068216628315ac2b8801e56c440eb35b3fa19102565a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\njRAT.exe
    Filesize

    979KB

    MD5

    6e107cf39b65e177b6c61f889483190d

    SHA1

    aff1fa552f8b42fbbd86ce19a6b366def822c239

    SHA256

    2c503fb73c2e0a87927c1bb980a4185e12774cd97cba40751008c1b661e08b5f

    SHA512

    b9df9a1c763e9d497fe73c6fa80a14faf184efc49fd04ac99b4c26c2ca6456400296b7f890d92245afad18ab8eac7fbad86b111dc3bad130945104f915fa3190

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\njRAT.exe
    Filesize

    979KB

    MD5

    6e107cf39b65e177b6c61f889483190d

    SHA1

    aff1fa552f8b42fbbd86ce19a6b366def822c239

    SHA256

    2c503fb73c2e0a87927c1bb980a4185e12774cd97cba40751008c1b661e08b5f

    SHA512

    b9df9a1c763e9d497fe73c6fa80a14faf184efc49fd04ac99b4c26c2ca6456400296b7f890d92245afad18ab8eac7fbad86b111dc3bad130945104f915fa3190

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\system.exe
    Filesize

    185KB

    MD5

    a82796f4ff9d86989f4075a626c0ac42

    SHA1

    e918915b1625998b230db18736be6a5a10936b0c

    SHA256

    875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b

    SHA512

    5425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\system.exe
    Filesize

    185KB

    MD5

    a82796f4ff9d86989f4075a626c0ac42

    SHA1

    e918915b1625998b230db18736be6a5a10936b0c

    SHA256

    875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b

    SHA512

    5425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98

    Download Submit
  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    61b6b94b2e7c24c7f06b160549a4e575

    SHA1

    18375a5654567b8a908e238cb34f7bc2520d76de

    SHA256

    eddda2c46f754fcf1a779ace9470a4fdb25fc5693ae2e0fa4c37b047c621f938

    SHA512

    080680caceea4ee3d6f1700a1909d927959dea6356f238b77c2f971984d88be4462ccab76188ebe8f9048b1ddd0e30ebf1d62401cc06e1b3b4fb277be1205f3e

    Download Submit
  • memory/212-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3660-138-0x0000000000000000-mapping.dmp
    Download
  • memory/3660-147-0x0000000074180000-0x0000000074731000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3660-146-0x0000000074180000-0x0000000074731000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3684-145-0x00007FF951B10000-0x00007FF952546000-memory.dmp
    Filesize

    10.2MB

    Download
  • memory/3684-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4192-132-0x0000000000000000-mapping.dmp
    Download