Overview

overview

10

Static

static

10

d2b20a48aa...e3.exe

windows7-x64

10

d2b20a48aa...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 19:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2b20a48aa22640f1c1ff7da5792a8e4bc7a8105861831219d8d3ef33d5a0ce3.exe

  • Size

    396KB

  • MD5

    41956e009d24aa737a04363df16459d6

  • SHA1

    a3baa9fe3d182a2aabc08dedb145a7c2da3fd337

  • SHA256

    d2b20a48aa22640f1c1ff7da5792a8e4bc7a8105861831219d8d3ef33d5a0ce3

  • SHA512

    45843bc6990cde4020f58b3a16286b8ccff5cb2f3f1ec3f33eae065b7de1964fc6df18050ce0fb575049aabc93e1c3c8165e1a60d4f61b20bc80962bfa8b5bfe

  • SSDEEP

    12288:PLCFFPn7pyEpygGRJdNmhw9f9DUqmZpFVOtaX:PLAPnEaX

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 17 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2b20a48aa22640f1c1ff7da5792a8e4bc7a8105861831219d8d3ef33d5a0ce3.exe
    "C:\Users\Admin\AppData\Local\Temp\d2b20a48aa22640f1c1ff7da5792a8e4bc7a8105861831219d8d3ef33d5a0ce3.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\3582-490\d2b20a48aa22640f1c1ff7da5792a8e4bc7a8105861831219d8d3ef33d5a0ce3.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\d2b20a48aa22640f1c1ff7da5792a8e4bc7a8105861831219d8d3ef33d5a0ce3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c intl.cpl
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\SysWOW64\control.exe
          "C:\Windows\System32\control.exe" "C:\Windows\system32\intl.cpl",
          4⤵
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4984
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\intl.cpl",
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:2292
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL "C:\Windows\system32\intl.cpl",
              6⤵
              • Checks computer location settings
              • Modifies Control Panel
              PID:560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
    Filesize

    368KB

    MD5

    a344438de9e499ca3d9038688440f406

    SHA1

    c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

    SHA256

    715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

    SHA512

    8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

    Download Submit
  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
    Filesize

    5.7MB

    MD5

    471811cb30f5b707e1cb8d898ab9dd85

    SHA1

    d27a6db0457555ad5187eab3438073eb1034418e

    SHA256

    f4609ed3168deec3c6150a064956ce61bea6e18c746e55ca0b032ba56fc1f75c

    SHA512

    118f658797e84b08dd5495406ebb1c0dec96833ddbfe189777640085ddc47c3a943c2effed4273f4fec679269d1849ff9cd54bb31a1abb632438225cfca9af29

    Download Submit
  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
    Filesize

    254KB

    MD5

    4ddc609ae13a777493f3eeda70a81d40

    SHA1

    8957c390f9b2c136d37190e32bccae3ae671c80a

    SHA256

    16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

    SHA512

    9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

    Download Submit
  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
    Filesize

    125KB

    MD5

    cce8964848413b49f18a44da9cb0a79b

    SHA1

    0b7452100d400acebb1c1887542f322a92cbd7ae

    SHA256

    fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

    SHA512

    bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

    Download Submit
  • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
    Filesize

    1.2MB

    MD5

    8e42f3a4a399d84e67ed633ba23863cb

    SHA1

    02ebfa5274214dcc48acfd24b8da3fb5cb93f6c6

    SHA256

    42716ea8beca9e555cef3b78a2fbf836c9da034318d625262810290309d955db

    SHA512

    0f6af721a89c2cf7249ecb1cc0a263c6252f8762b7381b35ccff6347d7d069799d2f0561bec0a651d690fbf29c98050bf15b604d3cca668b7437503ba102492f

    Download Submit
  • C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
    Filesize

    525KB

    MD5

    0d9146d70ac6a41ead1ea2d50d729508

    SHA1

    b9e6ff83a26aaf105640f5d5cdab213c989dc370

    SHA256

    0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

    SHA512

    c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

    Download Submit
  • C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    Filesize

    495KB

    MD5

    07e194ce831b1846111eb6c8b176c86e

    SHA1

    b9c83ec3b0949cb661878fb1a8b43a073e15baf1

    SHA256

    d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

    SHA512

    55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

    Download Submit
  • C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
    Filesize

    534KB

    MD5

    8a403bc371b84920c641afa3cf9fef2f

    SHA1

    d6c9d38f3e571b54132dd7ee31a169c683abfd63

    SHA256

    614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

    SHA512

    b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

    Download Submit
  • C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
    Filesize

    6.7MB

    MD5

    32853955255a94fcd7587ca9cbfe2b60

    SHA1

    c33a88184c09e89598f0cabf68ce91c8d5791521

    SHA256

    64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

    SHA512

    8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
    Filesize

    526KB

    MD5

    cc5020b193486a88f373bedca78e24c8

    SHA1

    61744a1675ce10ddd196129b49331d517d7da884

    SHA256

    e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

    SHA512

    bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
    Filesize

    674KB

    MD5

    97510a7d9bf0811a6ea89fad85a9f3f3

    SHA1

    2ac0c49b66a92789be65580a38ae9798237711db

    SHA256

    c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

    SHA512

    2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
    Filesize

    715KB

    MD5

    06366e48936df8d5556435c9820e9990

    SHA1

    0e3ed1da26a0c96f549720684e87352f1b58ef45

    SHA256

    cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612

    SHA512

    bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
    Filesize

    536KB

    MD5

    31685b921fcd439185495e2bdc8c5ebf

    SHA1

    5d171dd1f2fc2ad55bde2e3c16a58abff07ae636

    SHA256

    4798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c

    SHA512

    04a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    Filesize

    525KB

    MD5

    0d9146d70ac6a41ead1ea2d50d729508

    SHA1

    b9e6ff83a26aaf105640f5d5cdab213c989dc370

    SHA256

    0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

    SHA512

    c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\d2b20a48aa22640f1c1ff7da5792a8e4bc7a8105861831219d8d3ef33d5a0ce3.exe
    Filesize

    356KB

    MD5

    e8e71b9c796b81fecf961547492953d8

    SHA1

    dc9e63c61307bd952e67b31e43707708019e6559

    SHA256

    2ffbc57df8f122c7496148fad4600962962a98aa057271e8978fa108ac442b52

    SHA512

    c4289676e651c1aaf4fcf3dfedf370b5e7dbcd4d1394d9ac2bd107e50143420e428949d44ca0eb0c60037648356cbff057bdfb6753f64c5484964111e51091d0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\d2b20a48aa22640f1c1ff7da5792a8e4bc7a8105861831219d8d3ef33d5a0ce3.exe
    Filesize

    356KB

    MD5

    e8e71b9c796b81fecf961547492953d8

    SHA1

    dc9e63c61307bd952e67b31e43707708019e6559

    SHA256

    2ffbc57df8f122c7496148fad4600962962a98aa057271e8978fa108ac442b52

    SHA512

    c4289676e651c1aaf4fcf3dfedf370b5e7dbcd4d1394d9ac2bd107e50143420e428949d44ca0eb0c60037648356cbff057bdfb6753f64c5484964111e51091d0

    Download Submit
  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    a70f62119d31dc9def2e364ceb81306f

    SHA1

    738de3b8d295abdeee97fcf85381e9d5b6c45b4c

    SHA256

    a560391854f37c9548f64a44ae7a570c4807867cede61b9d17b3511e52f49348

    SHA512

    c93b69abd374266c9fe5f2f00e63430c00fe95fd0a2935aaf09fdba869eb3d7b225de662f68b6c3b5f9abf3e3151865587d9e3093967931290bc2b2a68c8a3c7

    Download Submit
  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    a70f62119d31dc9def2e364ceb81306f

    SHA1

    738de3b8d295abdeee97fcf85381e9d5b6c45b4c

    SHA256

    a560391854f37c9548f64a44ae7a570c4807867cede61b9d17b3511e52f49348

    SHA512

    c93b69abd374266c9fe5f2f00e63430c00fe95fd0a2935aaf09fdba869eb3d7b225de662f68b6c3b5f9abf3e3151865587d9e3093967931290bc2b2a68c8a3c7

    Download Submit
  • C:\odt\OFFICE~1.EXE
    Filesize

    5.1MB

    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

    Download Submit
  • memory/560-142-0x0000000000000000-mapping.dmp
    Download
  • memory/2292-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3752-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4984-138-0x0000000000000000-mapping.dmp
    Download
  • memory/5032-137-0x0000000000000000-mapping.dmp
    Download