Overview

overview

10

Static

static

3

9d7efad182...cb.exe

windows7-x64

10

9d7efad182...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/03/2024, 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe

  • Size

    3.0MB

  • MD5

    056c3b73ea0edf02f734d445ed945e55

  • SHA1

    b25b0c776707501b2ec9097a147f1a9d23146de1

  • SHA256

    9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb

  • SHA512

    d01e4660843136a71358a7d2dc86878f528ded1964ca5eaa7bb217faf0e7af4c07c0797987ea3b25b19947f12d659fca939bf8d891107f3fd8a61adc9ec11945

  • SSDEEP

    49152:CHyjtk2MYC5GDvdAxk6N7MgR05ZHVFveSo6ghCn9:Cmtk2aOdAxzN7Mu05ZHfeSfn9

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe
    "C:\Users\Admin\AppData\Local\Temp\9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\3582-490\9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\Users\Admin\AppData\Local\Temp\._cache_9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe"
        3⤵
        • Executes dropped EXE
        PID:4592
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
    Filesize

    5.4MB

    MD5

    84b30000a35a55c67e84de0f290b2aae

    SHA1

    cc02e628b5681ee37de60c03671290c5db4cba90

    SHA256

    185a9f8c1671f68846946a1f853a9224fc8ca728e20bd047d0305a20a6bc5ab0

    SHA512

    e08e97e340d4e256fc3805b57d82806e7805b591ead9e01076d329da21a4958062c76273f168aa8f098323729120046f84ee0ba1a523883df920f86f3e666af5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe
    Filesize

    1.9MB

    MD5

    fd5d6e2e51949458d18066924da8dc95

    SHA1

    1d0097fa9da717cc71ad66226b28910b19dc9a48

    SHA256

    66f07a47ff70b2933574ecfb2cacfbf74c9bc1812ba108f8cf1f66d8714dc41e

    SHA512

    2461a80659b25f679d25b72b57e869a74cccbbe1cfd233807f793fdf13002d6969417a39a558e282c109ba7fd920172f4e746e0a20abe72be2b69074cc0da6b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\9d7efad1823c88b8b5b0b07ae9028fc23d2639445a0d95b48d9360b0ab9e68cb.exe
    Filesize

    3.0MB

    MD5

    d89e4e7c52d47b0a1046e4322a96e6ca

    SHA1

    55978c5c522658b9b11db4a64607e943d0090fef

    SHA256

    c5fac682547181b877cf19e707fdfe12502619c7d805b863c75c0b5873f6bd6e

    SHA512

    e2ce7af958645af6ad33df2b654983e9b2e365ac4ed21496acc4f235f16ce06d7abf91ad162db60f0792f781a23d2d86879bbfb675af3f5348dae1fa151213b3

    Download Submit

  • memory/2792-236-0x0000000000400000-0x00000000006FC000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2792-268-0x0000000000400000-0x00000000006FC000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2792-240-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2792-116-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3132-237-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3132-235-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3132-239-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3132-242-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3132-244-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3132-246-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3132-267-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3132-269-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3132-274-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3392-114-0x0000000000400000-0x00000000006FC000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3392-14-0x00000000009C0000-0x00000000009C1000-memory.dmp

    Filesize

    4KB

    Download