Overview

overview

10

Static

static

3

fc7c9c64d0...5a.exe

windows7-x64

10

fc7c9c64d0...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe

  • Size

    728KB

  • MD5

    9762ce69c2bf80bf5ffd1029ac0b11ec

  • SHA1

    49694133876acbe35f5493d99a967089ea1cc17a

  • SHA256

    fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a

  • SHA512

    6ca9dd8b6774f47d5f72727bc5e5ff9764ee145522747342d13854f571d61314c2f1bd83125dd181ad0d8f7c4a1a77974668d10f14876de293f2e30ba33e0e44

  • SSDEEP

    12288:LxyXRz/I7vByWqTBAdLh9pyEpF/6AJdrWZE1uSRHC6ZDV0xhB01/6NIMt4vv+Kyb:L0Q7vByOTzJRWZeRiMV0DBLNIMaGKy3L

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 6 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Detects executables packed with SmartAssembly 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe
    "C:\Users\Admin\AppData\Local\Temp\fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rdYXPAGu.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rdYXPAGu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A26.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2960
    • C:\Users\Admin\AppData\Local\Temp\fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe
      "C:\Users\Admin\AppData\Local\Temp\fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe"
      2⤵
      • Checks computer location settings
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
    Filesize

    328KB

    MD5

    b0fe552b3245b5caa4ecd56cdff66f5b

    SHA1

    75dfa00d4cc7c51133b13dd9bbf29c6f008396d9

    SHA256

    ff63ca141bcc1c4bbb076e11cbc4638be2419e1739b2fae5ed52faa16770d251

    SHA512

    54411d29c03167c8d16e9431a8eb8f2222559ab7bfff9e475f422c5921852205fa3a8713e3192996c4f9a77457c5fe6561aa21f0065b56d5fe96df8344fa898d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    ae58bc5562d8df9e68ab33dd0d1f91cc

    SHA1

    995d7b074b5ff54289dcddc71bb569a1024029a8

    SHA256

    6299ef0e16992f40f34a19cb19dad29587cbbd1298cd48725ea1dc43456e3ba3

    SHA512

    90854349017046a08194d73f8c7360f92bf5e32dabad84074bf1fdb4238345abdc56dff39a5010251440fb427b20f86f4af5ca27ebd7f787ca81fb8d0acc0aa0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a.exe
    Filesize

    688KB

    MD5

    3a05caeefe010b399639330bc987d370

    SHA1

    1befbdf8577edb5b08f344c0fb4b31d9ad315def

    SHA256

    f4f3f6cd3ffa802c7da9eb21420e95d7e02ea9d047e27ccfce857ad766bc6f12

    SHA512

    87dcf5d69ac8bbe7f16c103e2e7d52c81e57763e2d04963cd21a3c41096328d3c8160d79cea81839afb8ddc6570e42fc98321b51a64b445ce6ef526ba86ec4e5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgk0swew.unj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp5A26.tmp
    Filesize

    1KB

    MD5

    4b44edb328d7776de87a7b2f0f58996b

    SHA1

    a3eccd87c4df5494f389807c51ea94c9af15914d

    SHA256

    6d704fb2b47184d5b8b09e296a0b7eb44d39b249cb85e65f66bfbe2643d2e0c4

    SHA512

    971f6c803b9c820fb4863131fbf3e294cc3a48498088dfd431a10bb6215eb0dce001ef9e1cbcaf1bb7571477534b49f5e861539392c7a2c0fb8ca34d5aae9f04

    Download Submit
  • C:\Users\Admin\AppData\Roaming\rdYXPAGu.exe
    Filesize

    728KB

    MD5

    9762ce69c2bf80bf5ffd1029ac0b11ec

    SHA1

    49694133876acbe35f5493d99a967089ea1cc17a

    SHA256

    fc7c9c64d0801f66f22ea258673b12b73f392b958cf38dbf14432dcdb3037e5a

    SHA512

    6ca9dd8b6774f47d5f72727bc5e5ff9764ee145522747342d13854f571d61314c2f1bd83125dd181ad0d8f7c4a1a77974668d10f14876de293f2e30ba33e0e44

    Download Submit
  • memory/1872-11-0x0000000008ED0000-0x0000000008F6C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1872-5-0x0000000005400000-0x000000000540A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1872-9-0x00000000065D0000-0x00000000065DC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1872-10-0x0000000006630000-0x00000000066BC000-memory.dmp
    Filesize

    560KB

    Download
  • memory/1872-1-0x0000000074E60000-0x0000000075610000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1872-8-0x0000000005910000-0x0000000005918000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1872-2-0x0000000005920000-0x0000000005EC4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1872-7-0x0000000005760000-0x0000000005772000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1872-0-0x0000000000930000-0x00000000009EC000-memory.dmp
    Filesize

    752KB

    Download
  • memory/1872-6-0x0000000006A40000-0x0000000006AE8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/1872-3-0x0000000005410000-0x00000000054A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1872-53-0x0000000074E60000-0x0000000075610000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1872-4-0x0000000005600000-0x0000000005610000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1924-176-0x0000000007BE0000-0x0000000007BE8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1924-114-0x0000000007B40000-0x0000000007BD6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1924-24-0x0000000005DE0000-0x0000000005E46000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1924-36-0x0000000006130000-0x0000000006484000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1924-26-0x0000000074E60000-0x0000000075610000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1924-23-0x00000000054C0000-0x00000000054E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1924-106-0x0000000007F00000-0x000000000857A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1924-131-0x0000000007AC0000-0x0000000007AD1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1924-96-0x0000000005170000-0x0000000005180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1924-95-0x0000000005170000-0x0000000005180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1924-22-0x0000000005170000-0x0000000005180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1924-54-0x0000000006590000-0x00000000065AE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1924-55-0x0000000006640000-0x000000000668C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1924-21-0x0000000005170000-0x0000000005180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1924-94-0x0000000075710000-0x000000007575C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1924-89-0x000000007EEB0000-0x000000007EEC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1924-175-0x0000000007C00000-0x0000000007C1A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1924-172-0x0000000007B00000-0x0000000007B14000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1924-169-0x0000000007AF0000-0x0000000007AFE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1924-191-0x0000000074E60000-0x0000000075610000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4056-198-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4056-196-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4056-52-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4056-47-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4056-49-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4056-48-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/5084-20-0x0000000005300000-0x0000000005928000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/5084-108-0x0000000007520000-0x000000000752A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/5084-107-0x00000000074B0000-0x00000000074CA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/5084-78-0x0000000007160000-0x0000000007203000-memory.dmp
    Filesize

    652KB

    Download
  • memory/5084-77-0x0000000007140000-0x000000000715E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/5084-67-0x0000000075710000-0x000000007575C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/5084-65-0x000000007EE90000-0x000000007EEA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5084-66-0x0000000006750000-0x0000000006782000-memory.dmp
    Filesize

    200KB

    Download
  • memory/5084-25-0x0000000005B00000-0x0000000005B66000-memory.dmp
    Filesize

    408KB

    Download
  • memory/5084-19-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5084-18-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5084-195-0x0000000074E60000-0x0000000075610000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/5084-17-0x0000000074E60000-0x0000000075610000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/5084-16-0x0000000002880000-0x00000000028B6000-memory.dmp
    Filesize

    216KB

    Download