Overview

overview

10

Static

static

10

Seronxelia.exe

windows10-2004-x64

10

Resubmissions

22-07-2023 16:57

230722-vgfqvsca7w 10

22-07-2023 16:55

230722-vfberabe82 10

Analysis

  • max time kernel
    19s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2023 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Seronxelia.exe

  • Size

    967KB

  • MD5

    46a3d8811d01026d94d8e759523e23a9

  • SHA1

    419901b53b71cca4c64b448a29e4efe786b434a3

  • SHA256

    29ef45674dff9b87bcec73404c08d4c4264747119efdd33867b8d9a84cbbde51

  • SHA512

    ab058b5b5835ba9e582c03ebef783ca911837693e3005cb9dea1ac62d09b18bd390415908ab94e16a15d6bad748ddbc7e8630eaf968b3383202b6e28f111face

  • SSDEEP

    12288:J7h7MLK768G5VBCLTj71QnhFkyHYSNau90gn8iD6/5PI1boANc1vZ3Mqwwdf+Y:JR7W8GyOnDpmdIaAS1xNh+Y

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Seronxelia.exe
    "C:\Users\Admin\AppData\Local\Temp\Seronxelia.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Local\Temp\3582-490\Seronxelia.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\Seronxelia.exe"
      2⤵
      • Executes dropped EXE
      PID:2204
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x424 0x2e8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
    Filesize

    2.4MB

    MD5

    8ffc3bdf4a1903d9e28b99d1643fc9c7

    SHA1

    919ba8594db0ae245a8abd80f9f3698826fc6fe5

    SHA256

    8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

    SHA512

    0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\Seronxelia.exe
    Filesize

    926KB

    MD5

    405251bfd9eba67ef7f0533fe4af4630

    SHA1

    c73f1ad42e0f1becda42c2ebb40d36105c8c5679

    SHA256

    4d9f031b8a37437bdb7fc78f1e0b7eb7f2d13c3c4067c5880bb257b15334a3b7

    SHA512

    2b98bcdf5f9b1b35dd5e52090fc3eb2433157f90915a1cef898a71d95df224f2076b19b23743a4f83205562ba047c59ddc640c28ddd3ba24ca823d1a4da829d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\Seronxelia.exe
    Filesize

    926KB

    MD5

    405251bfd9eba67ef7f0533fe4af4630

    SHA1

    c73f1ad42e0f1becda42c2ebb40d36105c8c5679

    SHA256

    4d9f031b8a37437bdb7fc78f1e0b7eb7f2d13c3c4067c5880bb257b15334a3b7

    SHA512

    2b98bcdf5f9b1b35dd5e52090fc3eb2433157f90915a1cef898a71d95df224f2076b19b23743a4f83205562ba047c59ddc640c28ddd3ba24ca823d1a4da829d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\Seronxelia.exe
    Filesize

    926KB

    MD5

    405251bfd9eba67ef7f0533fe4af4630

    SHA1

    c73f1ad42e0f1becda42c2ebb40d36105c8c5679

    SHA256

    4d9f031b8a37437bdb7fc78f1e0b7eb7f2d13c3c4067c5880bb257b15334a3b7

    SHA512

    2b98bcdf5f9b1b35dd5e52090fc3eb2433157f90915a1cef898a71d95df224f2076b19b23743a4f83205562ba047c59ddc640c28ddd3ba24ca823d1a4da829d5

    Download Submit

  • memory/856-225-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/856-227-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2204-146-0x000001E6959A0000-0x000001E695A8C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2204-147-0x00007FFAE7C70000-0x00007FFAE8731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2204-148-0x000001E697720000-0x000001E697730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2204-224-0x00007FFAE7C70000-0x00007FFAE8731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2204-226-0x000001E697720000-0x000001E697730000-memory.dmp

    Filesize

    64KB

    Download