Overview

overview

10

Static

static

10

新建文�...st.exe

windows7-x64

10

新建文�...st.exe

windows10-2004-x64

10

新建文�...st.exe

windows7-x64

10

新建文�...st.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    新建文件夹/svchost.exe

  • Size

    40KB

  • MD5

    13058802fd08204a986fefda371c984e

  • SHA1

    18ca69efc8c46fbcb8a8905ab5ddcb1c57db6bd1

  • SHA256

    40df0e0008b6342068604c7c159a1b4f81b149e4ddb674ceafe49c71b066c330

  • SHA512

    9ad85c30155fceb6a9f6455e03d5bfeced9e3bc366f2bfba537c393e81dd664ee58cb5a480531da510cf620aea9514ccb6bcc232f6e551c3b9d1491d00672fb2

  • SSDEEP

    768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJFbxYuXlBg:JxqjQ+P04wsmJCcbxZXL

Score
10/10
neshtapersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    2701f5f07f9c3bd97f752b93e11224a6

    SHA1

    19e11632c430f6db218be7d54719e7d16005703f

    SHA256

    15dc0e52a821f2c356d6c9eac4ac41fa53ab1742a5f719de4e8be28d86ca3a99

    SHA512

    121ba9218c676c28e432f3ffa0e13f4b14f3726e5d8521c239641f24b869063de27608689daab4c81d1eea0b3f67072e42fca558bf379c60a8370cd15d37b81d

    Download Submit
  • memory/3760-86-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3760-87-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3760-89-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

    Download