Analysis

  • max time kernel
    134s
  • max time network
    138s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-06-2024 17:48

General

  • Target

    H-Output.exe

  • Size

    258KB

  • MD5

    6c5f1353172df2d3b8ab7f210f4d13dd

  • SHA1

    bc87512ad22e3d6969b149824661896191290ad1

  • SHA256

    f16b28324fb8b97e433712fec6db4d422c32199c488e3d8a9dbc1acbbdc08307

  • SHA512

    21b55634006247d65cb022e601743f3c58f8bf7943235d978ab6648f9084feff63638c971f02a9d8b7311fc1ad1b6ccc4286d38e68fb99476c931c5d62379407

  • SSDEEP

    3072:sr85C5yQRuUwPsmSIgEHBAnpK37nXK8Q0RoQ1y6PsX74SyJhWgKLlS/OHvfERbEK:k9cQQ5PsZN8le6PXoY/6ed/unOGPhpC

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 58 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\H-Output.exe
    "C:\Users\Admin\AppData\Local\Temp\H-Output.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\3582-490\H-Output.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\H-Output.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4880
  • C:\Steam.exe
    \Steam.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:488
  • C:\Steam.exe
    \Steam.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2172
  • C:\Steam.exe
    \Steam.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3140

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Steam.exe.log
    Filesize

    1KB

    MD5

    5a18c0096c3d708f2e104c1d69eea8db

    SHA1

    a7ed897ef2a0e2fa6c9f00b2c60138213147c0a5

    SHA256

    8ce4225532855b6cbea1da75a3bee1ef18518ab5ad333d311377666628b2a700

    SHA512

    9072a9ff528e966cec0aa12e6e52f45e60c00c4e6a375b14ac7fa882b31fcbc50c5dd3b11f8493e87770e392c4a9b584252baec363eb70b601b77053522922fe

  • C:\Users\Admin\AppData\Local\Temp\3582-490\H-Output.exe
    Filesize

    218KB

    MD5

    0ce3cfb3f39c6ab542bd006acc91998d

    SHA1

    d34331d9874a888e78be88a7f67d2d8f0cfa5b21

    SHA256

    71a9b9cb96b2b80b352cbac72a40129377dcb09f0e4abb78806decdfda312720

    SHA512

    a1f406af385f3b7cecea9b78f19028a5db59a051050a7514c13b7fbdb4092fe5debcc8d0c408f4f50c6da6aa0bfe7e6865722c35af288197863fb70951be42f0

  • memory/488-70-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
    Filesize

    9.9MB

  • memory/488-71-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
    Filesize

    9.9MB

  • memory/488-73-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
    Filesize

    9.9MB

  • memory/1340-74-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/1340-76-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/4880-6-0x00007FFAA4D43000-0x00007FFAA4D44000-memory.dmp
    Filesize

    4KB

  • memory/4880-7-0x0000000000280000-0x00000000002BC000-memory.dmp
    Filesize

    240KB

  • memory/4880-69-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
    Filesize

    9.9MB

  • memory/4880-77-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
    Filesize

    9.9MB