Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
29-12-2023 22:36
General
-
Target
05cc5b2de4449992125e6e90608f2302.exe
-
Size
1.3MB
-
MD5
05cc5b2de4449992125e6e90608f2302
-
SHA1
ce34a24aba7279962957093f154c6956542d5b8f
-
SHA256
aa7887ec53dce8c5b5b24952d301e8d9918a440df6d2362b077c8171f5376566
-
SHA512
ee25be599e8c76b8eafd4192ba9d015f4460dabf1231804c6fbb73e7d3502f8d9882389d7b448ab288d192a2f914758e6704b1c08df8bfc45df3ba2288bdc980
-
SSDEEP
12288:UwYhZawoQC0Z0uH7h2ZsIfm+yWBGUATczdqOc4ClSTubgdIb+lmh3EXmPLl8/iLq:sCn1ZsjM9A4z4ST9mukk
Malware Config
Signatures
-
Detect Neshta payload 5 IoCs
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05cc5b2de4449992125e6e90608f2302.exe"C:\Users\Admin\AppData\Local\Temp\05cc5b2de4449992125e6e90608f2302.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\05cc5b2de4449992125e6e90608f2302.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\05cc5b2de4449992125e6e90608f2302.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\05cc5b2de4449992125e6e90608f2302.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\05cc5b2de4449992125e6e90608f2302.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzAEyguzUU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp654.tmp"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\schtasks.exe /Create /TN Updates\QzAEyguzUU /XML C:\Users\Admin\AppData\Local\Temp\tmp654.tmp1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD52f8e605abb6b4367d096089d71f04123
SHA1806a24b0a5b8ebecdd2b3c6511ecb744ce261121
SHA256bb452f35c054b12ea3ed682be92bf5485f6cf289abb7ed4c707dadf4bd5aa709
SHA5129445e47fffc9f9d605213946c5c8aa63302a2fd80d221273031f40b9fa3aac5808bf2bc6bc3dba7503310e8085281642eff02d18b1639c2d4cd1cc06f8b31a24
-
Filesize
1.1MB
MD5dcdef005c0e3ac17efd5c287a199db29
SHA18257fb70dd321ff32fa2a90f7dff7852b612d6b9
SHA256e0fcb38eeee86ccb72288d6263c685cf93baba56b15626fb70e1a2096bd82f0b
SHA5123dd631e952be922e5a66967df8b0ef76088a0ca1f9fb71c0ed9085326ee5c08af1c0f3adc0a32f162f388ecdd2e42e212470c13b79aa977a9b0faa9d89a33d41
-
Filesize
8B
MD5ab7de28fcc03ba9183812c4998bfcbbb
SHA19ef916b532924474db47816d791b4df972dc7276
SHA2563453c70759ad9c95d68c0d1d1d529ba4b2c5cbdf76713bd6b330a3e31fc4ec26
SHA51238d00063a91a53dd06e4f65c2a200240d2ba774d870607e64f2edbb98a935b4fda2eba03c77ea3d74e37ad2ebba9c8df464127ee24a762777b4e860e0f71c69e
-
Filesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
696KB
-
Filesize
520KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
1.3MB
-
Filesize
624KB
-
Filesize
108KB
-
Filesize
56KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
64KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
7.7MB
-
Filesize
160KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
64KB