Overview

overview

10

Static

static

3

320875988c...e5.exe

windows7-x64

10

320875988c...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe

  • Size

    698KB

  • MD5

    08ca3eb4ad279f20ad7bf302b99f8120

  • SHA1

    8c8873a96f1ac56e6b832761a057dcf5b2b4eda1

  • SHA256

    320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5

  • SHA512

    9667d4e0cd9bd5d55f49a9657ed9530a09c12f82e5fd45cece9097734493a3583591c00a1ee92f1f4ec6e580638166e21acbfcf5832040def754470de05b7c75

  • SSDEEP

    12288:6lYifTdTeVso+OX4mAdhrDu7NQ6xM9z6J95q1nKn2GJpKwp/U8WRu9jpX8R0J14+:diuso+bmaVKlxM9mJR2EVU8guvN14Nk

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe
    "C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5348
    • C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe
      "C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe"
      2⤵
        PID:2148
      • C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe
        "C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe"
        2⤵
          PID:4372
        • C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe
          "C:\Users\Admin\AppData\Local\Temp\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe"
          2⤵
          • Checks computer location settings
          • Modifies system executable filetype association
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          PID:748

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Privilege Escalation

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
        Filesize

        86KB

        MD5

        274c12b975b00d0bb69ca0910f7997b7

        SHA1

        007055bd33d8677ff43a1b0433e80989c36861a6

        SHA256

        26daa461138f85168ee63365ec6034cfaa66733ba6deba2eb7c0deef8b1d8eac

        SHA512

        bd2bf8b5501b8f4ab86f52b19eadccd008ee3e27ed8df05fed4797d2d4df7cd258455ccfe30e656626b78d58280f1cd432f0e08ff9a5df0795333364e9cf6fc1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\3582-490\320875988ca4badb56a9522936ac4260a3532ebd73b97b048726b15bbe0409e5.exe
        Filesize

        658KB

        MD5

        f420a233d9ff3db7b888fbdc1eb3d4fc

        SHA1

        80e2e9691dcb79e88a55d8ab87d4dad44f3b4aa7

        SHA256

        d75dc506ab34babb7fcd7f6e58ddbc3eda84042020d60d35ec016a9928469e60

        SHA512

        24f764feb656677c3cae88c147e2186660db2a89c338f02871cd3d25cec425e674fdb3745bf41f1a6dd75135bd8224a6390a48c956cf163706ec68dc070d3c90

        Download Submit
      • memory/748-10-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/748-114-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/748-11-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/748-15-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/748-12-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/5348-4-0x0000000004CD0000-0x0000000004CDA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/5348-8-0x00000000051B0000-0x00000000051C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5348-9-0x00000000063F0000-0x000000000647C000-memory.dmp
        Filesize

        560KB

        Download
      • memory/5348-7-0x0000000005190000-0x00000000051AA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/5348-6-0x0000000074F80000-0x0000000075730000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5348-5-0x0000000004F40000-0x0000000004FDC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/5348-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5348-16-0x0000000074F80000-0x0000000075730000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5348-3-0x0000000004D00000-0x0000000004D92000-memory.dmp
        Filesize

        584KB

        Download
      • memory/5348-2-0x00000000052B0000-0x0000000005854000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/5348-1-0x0000000000360000-0x0000000000414000-memory.dmp
        Filesize

        720KB

        Download