Resubmissions
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
03-06-2024 14:27
General
-
Target
sample.exe
-
Size
5.4MB
-
MD5
3890b8381d0097b70797e484f40d0df3
-
SHA1
43f2196a11285902cab38264f64a0fd545161b44
-
SHA256
dfea487c68b65aafc445658ea66473de74997a46a9ebf5b0123d1031a2432305
-
SHA512
f3091690ce65f294b298014dbd4ee8e46f2de302d9aff3ba75c3caf801378debd840b65534f8a8edad58d72a92eb1119379f628e7bff86d63a738b79a945b722
-
SSDEEP
98304:U98aK6oZt3D1RkS5OS0yionLTKnVhoDXDDm4O5DBur00H6qfe:yrK6oLD1GN3Xo6sDX3lUlY0Y6qfe
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\sample.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\sample.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8323⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEFilesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
C:\Users\Admin\AppData\Local\Temp\3582-490\sample.exeFilesize
5.4MB
MD5210394145368825b0ef292bcd95d5a1d
SHA1387f356a147164ecd876117cb1253d38c83e85d5
SHA256bd473bfba93df098187864352721b0386632cdce4c3368fbaae31b3d7bf3709c
SHA5128afeffedf643a07de5a441456b1a23cce98c481420ba10450400a7b719de6091776c2e81416e6fb722aabac047039f2459f573eef16330601f7aee3598f79b50
-
memory/4584-113-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4584-114-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4584-116-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5008-9-0x0000000073592000-0x0000000073593000-memory.dmpFilesize
4KB
-
memory/5008-10-0x0000000073590000-0x0000000073B41000-memory.dmpFilesize
5.7MB
-
memory/5008-11-0x0000000073590000-0x0000000073B41000-memory.dmpFilesize
5.7MB
-
memory/5008-18-0x0000000073590000-0x0000000073B41000-memory.dmpFilesize
5.7MB