Overview

overview

10

Static

static

3

att-19071817514.exe

windows7-x64

10

att-19071817514.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    att-19071817514.exe

  • Size

    784KB

  • MD5

    700995e915a6a8b1d62ef701d10113ac

  • SHA1

    e31d7d13f6151ba921e978a70dcce67255addeb6

  • SHA256

    2c71c987526332f38fe4485dfa0f6134ba4ec24a809d95877a0bba9549883e18

  • SHA512

    75ed48ddc399abf2f573d9d7dc15988938f48d62bf7d7b45a20da8279003cf8c22206b02de008055e5f9c39d6f40d66ccade1f1f7c26c77859580cd26c902551

  • SSDEEP

    24576:Hn698VVY+Kp1qXSAfzW9zulnqLmkrOOm:a9SLXTWEnq3OOm

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 6 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
    "C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
      "C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe"
      2⤵
      • Checks computer location settings
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    051424ac433bb5e99ffcca0bcb2ce96b

    SHA1

    3c9264fb7ace6e8ab2419514146aef075196d12a

    SHA256

    685c331ecc43805b2775995af5d865c8ac172d1543c97ad5d465e546f151197a

    SHA512

    1b92812777d9bf729988291eeff26ec7a7364cf8bcb02cb60cc8fb355367aae7d74c0f9a86f5965406545b64b9d41e65ad3f7178a00836bfd4b5bd768b9f31cc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\att-19071817514.exe
    Filesize

    743KB

    MD5

    bfb1f02f804fac8751a7e624ade46b4f

    SHA1

    452827701cc46243eb3654907388c3ca7e68c9e4

    SHA256

    0b6525fa60e909a86bff23f398f6fdf88d2d666901f39cc8fb4cc6800ca92dd1

    SHA512

    64cb56d1f67ec7527dd6d961732e7041ee26b8d3c7ae98638134f46597d326217dfd1ead22f0bcaaf7d7c910a9264259e7f0a5c43b183e64d99dc5ebd944836f

    Download Submit
  • memory/872-11-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/872-116-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/872-114-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/872-16-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/872-12-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/872-13-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3812-10-0x0000000009940000-0x00000000099DC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3812-9-0x0000000006280000-0x000000000630C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/3812-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-8-0x00000000046F0000-0x0000000004700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3812-7-0x0000000008890000-0x000000000889C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3812-6-0x00000000051C0000-0x00000000051E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3812-5-0x0000000074A90000-0x0000000075240000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3812-17-0x0000000074A90000-0x0000000075240000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3812-4-0x0000000004D80000-0x0000000004D8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3812-3-0x0000000004CE0000-0x0000000004D72000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3812-2-0x00000000051F0000-0x0000000005794000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3812-1-0x0000000000210000-0x00000000002D8000-memory.dmp
    Filesize

    800KB

    Download