Analysis

  • max time kernel
    152s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 01:44

General

  • Target

    aaaa.exe

  • Size

    3.3MB

  • MD5

    b6a18b64ba64922793c6849464a26332

  • SHA1

    883da851ff68f948ab237679e0df43561bab0a18

  • SHA256

    073d21d343ad5ea56b3a94e49a1a4e7c1ecb3c4a3e4aae167cd30d22b794ca6c

  • SHA512

    e8c0204eb07cd66960e3648435570afa63a5e7654d19092d89213e151ef8cddce3d333c8244bf60f3710e26507d333e0bf6b34d8f5aff3f90d237b9df61675d3

  • SSDEEP

    98304:P9qUaXiv7NMhB0qCp1KOU/Yqd0AuU0wA:P9Cy2hBOcgqd0G

Malware Config

Signatures

  • Detect Neshta payload 18 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Obfuscated with Agile.Net obfuscator 5 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aaaa.exe
    "C:\Users\Admin\AppData\Local\Temp\aaaa.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe
      "C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4008
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

    Filesize

    3.3MB

    MD5

    ea84cad2bff8c263e6cf3f8f11b93c73

    SHA1

    0628144ecdaa823e6f49e097b53558c8ceb72af8

    SHA256

    434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb

    SHA512

    4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

  • C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

    Filesize

    3.3MB

    MD5

    ea84cad2bff8c263e6cf3f8f11b93c73

    SHA1

    0628144ecdaa823e6f49e097b53558c8ceb72af8

    SHA256

    434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb

    SHA512

    4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

  • C:\Users\Admin\AppData\Local\Temp\3582-490\GTA 5 Mod Menu v2.10.5.exe

    Filesize

    3.3MB

    MD5

    ea84cad2bff8c263e6cf3f8f11b93c73

    SHA1

    0628144ecdaa823e6f49e097b53558c8ceb72af8

    SHA256

    434d8e2bd4678fb649988a401449319ca31ca62cada789ef76167288bf9ce3eb

    SHA512

    4959b923f9445b779bc2fece6507bb735d6fede17bb464a3810c780b9709408cfa1255a93bdaa6fb1ec53bc1d250014e8d8d34d39dac8ea0076b01747e9d0d67

  • C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

    Filesize

    3.3MB

    MD5

    064510a44c3c41ae42b2d3c19cb3075e

    SHA1

    e747e3076ea823234f9e2cc186bcd7eda517e3a6

    SHA256

    24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639

    SHA512

    8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

  • C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

    Filesize

    3.3MB

    MD5

    064510a44c3c41ae42b2d3c19cb3075e

    SHA1

    e747e3076ea823234f9e2cc186bcd7eda517e3a6

    SHA256

    24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639

    SHA512

    8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

  • C:\Users\Admin\AppData\Local\Temp\GTA 5 Mod Menu v2.10.5.exe

    Filesize

    3.3MB

    MD5

    064510a44c3c41ae42b2d3c19cb3075e

    SHA1

    e747e3076ea823234f9e2cc186bcd7eda517e3a6

    SHA256

    24989d4ff18f32b53dab25b6b24eb2e3028084299c5693cd17d2e27d02d4d639

    SHA512

    8dec0fe5050bbc3bf73c611ac4deb6f47bb6dc4d5e1c4e359b764dd687c6744434056b1b26112d4c99e5382e75f28b7d533a53faffe5cefa8fdba7ccd3009885

  • C:\Users\Admin\AppData\Roaming\IXVJFF~1.EXE

    Filesize

    3.4MB

    MD5

    d135618e6963b7f5032053e385faee4a

    SHA1

    98901c512ecf3460bec867d24979ed18cfcbe95b

    SHA256

    8d9e06447423812a9a47232368e3c70486ac959fcfad9d81718ba12b0cbaf4bc

    SHA512

    806d478cd68f5884ac7b751f6da78183126437b8489e88ee1e14accc055a6416d10afae1f9d82ac7b087106fbb3074758bdbe3cf8a711fb668d36d9c19fe8eb5

  • memory/316-4-0x00000293D39A0000-0x00000293D3CEE000-memory.dmp

    Filesize

    3.3MB

  • memory/316-7-0x00000293BAC80000-0x00000293BACCC000-memory.dmp

    Filesize

    304KB

  • memory/316-6-0x00000293B9400000-0x00000293B9410000-memory.dmp

    Filesize

    64KB

  • memory/316-5-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

    Filesize

    10.8MB

  • memory/316-3-0x00000293B9400000-0x00000293B9410000-memory.dmp

    Filesize

    64KB

  • memory/316-0-0x00000293B8CC0000-0x00000293B901E000-memory.dmp

    Filesize

    3.4MB

  • memory/316-21-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

    Filesize

    10.8MB

  • memory/316-2-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

    Filesize

    10.8MB

  • memory/316-1-0x00000293D3540000-0x00000293D389E000-memory.dmp

    Filesize

    3.4MB

  • memory/3616-70-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

    Filesize

    10.8MB

  • memory/3616-48-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

    Filesize

    10.8MB

  • memory/3616-22-0x00007FFD58910000-0x00007FFD593D1000-memory.dmp

    Filesize

    10.8MB

  • memory/3616-18-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/3616-23-0x0000020420F20000-0x0000020420F30000-memory.dmp

    Filesize

    64KB

  • memory/3616-50-0x0000020420F20000-0x0000020420F30000-memory.dmp

    Filesize

    64KB

  • memory/4008-66-0x0000000008340000-0x0000000008354000-memory.dmp

    Filesize

    80KB

  • memory/4008-39-0x0000000005180000-0x0000000005212000-memory.dmp

    Filesize

    584KB

  • memory/4008-41-0x0000000005230000-0x000000000523A000-memory.dmp

    Filesize

    40KB

  • memory/4008-42-0x00000000053B0000-0x00000000053D0000-memory.dmp

    Filesize

    128KB

  • memory/4008-43-0x00000000053F0000-0x000000000544A000-memory.dmp

    Filesize

    360KB

  • memory/4008-44-0x0000000005170000-0x000000000517E000-memory.dmp

    Filesize

    56KB

  • memory/4008-45-0x0000000005470000-0x00000000054DE000-memory.dmp

    Filesize

    440KB

  • memory/4008-46-0x00000000054E0000-0x0000000005622000-memory.dmp

    Filesize

    1.3MB

  • memory/4008-40-0x00000000050D0000-0x00000000050E0000-memory.dmp

    Filesize

    64KB

  • memory/4008-36-0x00000000005C0000-0x0000000000910000-memory.dmp

    Filesize

    3.3MB

  • memory/4008-142-0x00000000050D0000-0x00000000050E0000-memory.dmp

    Filesize

    64KB

  • memory/4008-38-0x0000000005800000-0x0000000005DA4000-memory.dmp

    Filesize

    5.6MB

  • memory/4008-61-0x00000000083B0000-0x0000000008416000-memory.dmp

    Filesize

    408KB

  • memory/4008-37-0x0000000073B70000-0x0000000074320000-memory.dmp

    Filesize

    7.7MB

  • memory/4008-67-0x0000000073B70000-0x0000000074320000-memory.dmp

    Filesize

    7.7MB

  • memory/4008-68-0x00000000050D0000-0x00000000050E0000-memory.dmp

    Filesize

    64KB

  • memory/4008-69-0x00000000050D0000-0x00000000050E0000-memory.dmp

    Filesize

    64KB

  • memory/4380-47-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-16-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-141-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-49-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-143-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-144-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-145-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-146-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-147-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-148-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-149-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-150-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-151-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4380-152-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB