Analysis

  • max time kernel
    101s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 21:37

General

  • Target

    0d15febb5c180e54e789850ac3917d20N.exe

  • Size

    111KB

  • MD5

    0d15febb5c180e54e789850ac3917d20

  • SHA1

    fcf34e9d606bcbe2727facc53a3619f4cb28372a

  • SHA256

    7baf2f60560b0c8b2b3f4389cfa71c2460f7b15062de1229fea6c926f6ff443b

  • SHA512

    3512b2365db96f6073950f13ad360fa4934f7bb1991608b472875d90a67a79f48719339b5d7e1c182f040ecc7aa04458a38919adddff01aaf7774942f054961d

  • SSDEEP

    3072:sr85C+hE7kEjb/vlmZ0y4YufkoTgDH5rFloPZwTOLa7eEfdkAzjkf5yBCCpcE9zO:k9+hKkOXlmZ0y4YufkoTgDH5rFloPZw2

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d15febb5c180e54e789850ac3917d20N.exe
    "C:\Users\Admin\AppData\Local\Temp\0d15febb5c180e54e789850ac3917d20N.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\3582-490\0d15febb5c180e54e789850ac3917d20N.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\0d15febb5c180e54e789850ac3917d20N.exe"
      2⤵
      • Executes dropped EXE
      PID:4220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

  • C:\Users\Admin\AppData\Local\Temp\3582-490\0d15febb5c180e54e789850ac3917d20N.exe

    Filesize

    71KB

    MD5

    907d440be0d6009751f1b308752a2ded

    SHA1

    5ac1c485ba32955b772a280a2fdacaf05961ffcc

    SHA256

    a664c8831c0b6deb8975a157ab9381b31e13b52e89e369dacd0d1e5c0ecaddee

    SHA512

    a34659e7aa9bb01626800177997e5d95fdeaf56801e552372d7b921da79b0e94b6bc145682c1898bc2637b999551c9f3ed29396c8c67ebbc681a79550c417de8

  • memory/4900-97-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4900-98-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/4900-100-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB