Overview

overview

10

Static

static

10

ab90751034...3f.exe

windows7-x64

10

ab90751034...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab9075103497d634186aa3dadd92930e2cb2c3a9a2cbc55800cdbe7f5f445f3f.exe

  • Size

    112KB

  • MD5

    c0eed9eedb087f8bbbc35791c6915d1d

  • SHA1

    1a7ea22e8680282a1e74446605ab008f6904e78e

  • SHA256

    ab9075103497d634186aa3dadd92930e2cb2c3a9a2cbc55800cdbe7f5f445f3f

  • SHA512

    b298a56a60984f471d6524e641299574e3f4d269a6783eeba985cbdf50cbdf6ef6e9babea89d1159f7968503bcb6ff23cf8742f995c719e65587e0ad1d8527cf

  • SSDEEP

    1536:JxqjQ+P04wsmJCatNYYYYtz+yY76HatP4s+3LLpJrC5SmqKiJoqzh:sr85CatNYYYYtzJY766tPXkaYh1h

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab9075103497d634186aa3dadd92930e2cb2c3a9a2cbc55800cdbe7f5f445f3f.exe
    "C:\Users\Admin\AppData\Local\Temp\ab9075103497d634186aa3dadd92930e2cb2c3a9a2cbc55800cdbe7f5f445f3f.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Users\Admin\AppData\Local\Temp\3582-490\ab9075103497d634186aa3dadd92930e2cb2c3a9a2cbc55800cdbe7f5f445f3f.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\ab9075103497d634186aa3dadd92930e2cb2c3a9a2cbc55800cdbe7f5f445f3f.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ODT\office2016setup.exe
    Filesize

    5.1MB

    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\ab9075103497d634186aa3dadd92930e2cb2c3a9a2cbc55800cdbe7f5f445f3f.exe
    Filesize

    72KB

    MD5

    8d0a1c12e6715ba92cc727201a55d6b5

    SHA1

    23451d2811f3f0e6752a749d10a9d37f012a840d

    SHA256

    a98b8aff872e2fcc587896fb6cd06ab5e9d6e7e8b4e53291ab8418c43ed92647

    SHA512

    3aad1abab9b19c951e97c26e891345a60908e5b3e07f93fecb29707ded936382f83653ce417cb92a463ba4987d89b44f6b2dc2e976db4475affee4501c439dba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\ab9075103497d634186aa3dadd92930e2cb2c3a9a2cbc55800cdbe7f5f445f3f.exe
    Filesize

    72KB

    MD5

    8d0a1c12e6715ba92cc727201a55d6b5

    SHA1

    23451d2811f3f0e6752a749d10a9d37f012a840d

    SHA256

    a98b8aff872e2fcc587896fb6cd06ab5e9d6e7e8b4e53291ab8418c43ed92647

    SHA512

    3aad1abab9b19c951e97c26e891345a60908e5b3e07f93fecb29707ded936382f83653ce417cb92a463ba4987d89b44f6b2dc2e976db4475affee4501c439dba

    Download Submit
  • C:\Windows\SysWOW64\vcmgcd32.dll
    Filesize

    36KB

    MD5

    ae22ca9f11ade8e362254b452cc07f78

    SHA1

    4b3cb548c547d3be76e571e0579a609969b05975

    SHA256

    20cbcc9d1e6bd3c7ccacbe81fd26551b2ccfc02c00e8f948b9e9016c8b401db6

    SHA512

    9e1c725758a284ec9132f393a0b27b019a7dde32dc0649b468152876b1c77b195abc9689b732144d8c5b4d0b5fcb960a3074264cab75e6681932d3da2a644bc1

    Download Submit
  • memory/1396-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1396-136-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1396-137-0x0000000010000000-0x0000000010011000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1396-139-0x0000000010000000-0x0000000010011000-memory.dmp
    Filesize

    68KB

    Download