Overview

overview

10

Static

static

3

CI.exe

windows7-x64

10

CI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/08/2023, 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CI.exe

  • Size

    884KB

  • MD5

    ce27430516a6f6d69371c99490f2e555

  • SHA1

    085b6cfecb803a8afeef3ea65aedd5845fb06591

  • SHA256

    7cf16fa9b84052ebac0f1752fd4cb2a9ffc8ffafc757f785376f2bde6fb554a5

  • SHA512

    9327b737d518eddc865e8f238b2cbb892294fe756f5623cdf00fb04888dcccc3d4a26069dd9a5ad811327f20a04ac04d4561d8c66ec06d600ddb72c20a5d1d63

  • SSDEEP

    24576:A6gCs3Mqx+4V4Yp0bHTABN2Qno2WbPZTj:A6Bs3MqA3sBno2

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 6 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CI.exe
    "C:\Users\Admin\AppData\Local\Temp\CI.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SQdare.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3684
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SQdare" /XML "C:\Users\Admin\AppData\Local\Temp\tmp35C1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3612
    • C:\Users\Admin\AppData\Local\Temp\CI.exe
      "C:\Users\Admin\AppData\Local\Temp\CI.exe"
      2⤵
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:4964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\CI.exe
    Filesize

    843KB

    MD5

    be30a004ac6ac5f8ecf0c52c0d21bfc3

    SHA1

    3de76284db11c9765b3233a655bd70016b15183d

    SHA256

    d4da93062b4ba35de60487c347d9843352743ac380750ee25cdd7eae43a9ef59

    SHA512

    9c4f5b7745dd94b92a30cf194c09d56ddf5d1feb5dcc1ffe3192720f69d751b728d4e87a55ebe5df14c6ca87441cf996939523a3f9396f0de9a844741f9a0fb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjbnnbud.s40.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp35C1.tmp
    Filesize

    1KB

    MD5

    746b055357c6831b4593eee5839a79d0

    SHA1

    8d88e651c97ad7c7b02a4d3708d5109cc7c576f1

    SHA256

    89ffa8dc384f355564ebb30a363d90e67927f4fe432f11691760b2d31dd9df16

    SHA512

    b6da1bf88a193a6803ac61968871606d4a46098ebb214362e9d8f16cd8da5b4ca346bb09bf7d43579948e018409746fd940cabba2f1cf5c91ff675b9357d2fb3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SQdare.exe
    Filesize

    884KB

    MD5

    ce27430516a6f6d69371c99490f2e555

    SHA1

    085b6cfecb803a8afeef3ea65aedd5845fb06591

    SHA256

    7cf16fa9b84052ebac0f1752fd4cb2a9ffc8ffafc757f785376f2bde6fb554a5

    SHA512

    9327b737d518eddc865e8f238b2cbb892294fe756f5623cdf00fb04888dcccc3d4a26069dd9a5ad811327f20a04ac04d4561d8c66ec06d600ddb72c20a5d1d63

    Download Submit

  • C:\odt\OFFICE~1.EXE
    Filesize

    5.1MB

    MD5

    e25bd42634286c180233d3cb82dc6ce4

    SHA1

    88d9363bfd376d55c68f08fc65642fb111e5d214

    SHA256

    f15f7eeff7ef269632f56058309d3aed8bef8a6011554a92d6ccdf41f5475fbe

    SHA512

    204540189ff350621bcde931effb1d25e870c91760d5e8973bdffb307dc697913e9070782c325034966d526d4c3dadfe15f02514fcf800b3db51e9d5555669da

    Download Submit

  • memory/3684-159-0x0000000005E90000-0x0000000005EF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3684-153-0x00000000057F0000-0x0000000005E18000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3684-281-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3684-278-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3684-146-0x0000000002C30000-0x0000000002C66000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3684-277-0x0000000007B80000-0x0000000007B88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3684-148-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3684-149-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-150-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-276-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3684-275-0x0000000007A90000-0x0000000007A9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3684-198-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-265-0x0000000007AE0000-0x0000000007B76000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3684-264-0x00000000078D0000-0x00000000078DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3684-158-0x0000000005670000-0x0000000005692000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3684-261-0x0000000007860000-0x000000000787A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3684-259-0x0000000007EB0000-0x000000000852A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3684-165-0x0000000005F00000-0x0000000005F66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3684-251-0x0000000006B10000-0x0000000006B2E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3684-241-0x0000000071500000-0x000000007154C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3684-240-0x00000000074E0000-0x0000000007512000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3684-186-0x0000000006560000-0x000000000657E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3700-136-0x00000000058F0000-0x0000000005982000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3700-138-0x0000000005870000-0x000000000587A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3700-139-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3700-137-0x00000000058C0000-0x00000000058D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-166-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3700-134-0x0000000074F10000-0x00000000756C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3700-140-0x00000000058C0000-0x00000000058D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-135-0x0000000005EA0000-0x0000000006444000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3700-133-0x0000000000D90000-0x0000000000E72000-memory.dmp

    Filesize

    904KB

    Download

  • memory/3700-141-0x0000000009EF0000-0x0000000009F8C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4964-154-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4964-151-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4964-152-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4964-157-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4964-282-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4964-284-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download