Analysis

  • max time kernel
    104s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 22:25

General

  • Target

    1d9d8b7879afd5012d4ec3127b5f1f30N.exe

  • Size

    4.6MB

  • MD5

    1d9d8b7879afd5012d4ec3127b5f1f30

  • SHA1

    39965b6343a0aefd3c99e889569b15c8cd71f77c

  • SHA256

    a88f960e928c25ce8f95a503d3ebbf075de87d18bb0c4f33485d25f43d50cc11

  • SHA512

    a4da607968852329e69200c92471cbb800ff695d69bf56a24a5a01d75f32bf675c6e7275ffb2d13ee1c7761d65b28a25aa94dbb8687a3c2e12919614370b057a

  • SSDEEP

    49152:bCnLqvooHgjB/Xp5J1dTbehABz8iyl3meAryb39CzUP66PCelDVse2DFiE5fpF6o:uLqvoxD5C7oBxB5fS8gzYX6Xej

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe
    "C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe"
      2⤵
      • Executes dropped EXE
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

    Filesize

    86KB

    MD5

    04c6daba4fac663e35df611485367158

    SHA1

    f1e27d06af670f459de40bd7b0ab9af4289774db

    SHA256

    0bbc9bffc739d04b2d56a3a56528f0c21e5f179466145de35cea61289781651e

    SHA512

    a2ac9e3245b25e3492bcac2f3a6072215dca6c3458de59d97959e144a1c89854058b8b32b4690f938e7996ad99b9e74da0a7ccb194e897280885b0b9b3583bf6

  • C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe

    Filesize

    4.5MB

    MD5

    e00c9e5cde84192ebc4d55bb16aa27b7

    SHA1

    c45672062008ee73436fc2f16b045376bb29a060

    SHA256

    8e9753c48cc7093e0d454a86348a1234983d122b34976d1d31b174a05f10bac9

    SHA512

    3933acf89e860aa2a32215cb63c77f71fa58fbcec37445e62dbd1f97530a9f4467c028647ff1f4acf3ab0f668ab1db505bf2a0fa1b93ef48169d854a5cf87434

  • memory/4172-1-0x0000000000400000-0x000000000102C000-memory.dmp

    Filesize

    12.2MB

  • memory/4172-97-0x0000000000400000-0x000000000102C000-memory.dmp

    Filesize

    12.2MB

  • memory/4172-98-0x0000000000400000-0x000000000102C000-memory.dmp

    Filesize

    12.2MB

  • memory/4172-99-0x0000000000400000-0x000000000102C000-memory.dmp

    Filesize

    12.2MB

  • memory/4172-101-0x0000000000400000-0x000000000102C000-memory.dmp

    Filesize

    12.2MB