Overview

overview

10

Static

static

3

320875988c...e5.exe

windows7-x64

10

320875988c...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe

  • Size

    698KB

  • MD5

    08ca3eb4ad279f20ad7bf302b99f8120

  • SHA1

    8c8873a96f1ac56e6b832761a057dcf5b2b4eda1

  • SHA256

    320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5

  • SHA512

    9667d4e0cd9bd5d55f49a9657ed9530a09c12f82e5fd45cece9097734493a3583591c00a1ee92f1f4ec6e580638166e21acbfcf5832040def754470de05b7c75

  • SSDEEP

    12288:6lYifTdTeVso+OX4mAdhrDu7NQ6xM9z6J95q1nKn2GJpKwp/U8WRu9jpX8R0J14+:diuso+bmaVKlxM9mJR2EVU8guvN14Nk

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Loads dropped DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe
    "C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe
      "C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe"
      2⤵
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:2808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
    Filesize

    547KB

    MD5

    71b27cf369e8c438be7a794a7c94c774

    SHA1

    baa7f83af5f88406c2fadbf41887199a66c1b1a4

    SHA256

    3bd7681a453785df06c39a5426343f725a3d613d44c1978d667548cf9aefebd8

    SHA512

    2bd87b67482e5d65d6a67ac64f15833a2c5cc9bcc1b4b0e92b3009fdc986a45c4fce4e370dffdd89e28175609a9b9acdaf162c1b8a15190491fc594012c9e47f

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • memory/2808-17-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-10-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-101-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-19-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-6-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-15-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2808-12-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-11-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-16-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-9-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-8-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2808-7-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3016-0-0x000000007419E000-0x000000007419F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3016-3-0x0000000000330000-0x000000000034A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3016-5-0x00000000053E0000-0x000000000546C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/3016-20-0x0000000074190000-0x000000007487E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3016-2-0x0000000074190000-0x000000007487E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3016-1-0x00000000012A0000-0x0000000001354000-memory.dmp
    Filesize

    720KB

    Download
  • memory/3016-4-0x00000000002E0000-0x00000000002F0000-memory.dmp
    Filesize

    64KB

    Download