Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 03:03

General

  • Target

    ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe

  • Size

    1.1MB

  • MD5

    bbd7910a23f556e6782de49f9297f29b

  • SHA1

    018d0af275c09a9531403edfbb805cc48d6e1333

  • SHA256

    ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a

  • SHA512

    5d988167e7da2c8e0465d1d86947c6f7dcacd1cd29abeb3afc98152bc485a82624ca49c4cc9ace69cb2c4a0bb8c4f230ce54de8cdb1927ab7f63e32948566388

  • SSDEEP

    6144:k9Yjc2ICXRjxC4UBCySMVF1VptGOcssg4U1MImXnk:bc2IC5xCFhVG/Epsnk

Malware Config

Signatures

  • Detect Neshta payload 24 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 17 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe
    "C:\Users\Admin\AppData\Local\Temp\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\3582-490\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Users\Admin\AppData\Local\Temp\Setup.exe
          C:\Users\Admin\AppData\Local\Temp\Setup.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe
              C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe
              6⤵
              • Executes dropped EXE
              PID:2648
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Users\Admin\AppData\Local\Temp\Setup.exe
          C:\Users\Admin\AppData\Local\Temp\Setup.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\svchost.com
            "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2808
            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe
              C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe
              6⤵
              • Executes dropped EXE
              PID:2484
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\GOLDMD~1.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Users\Admin\AppData\Local\Temp\GOLDMD~1.EXE
          C:\Users\Admin\AppData\Local\Temp\GOLDMD~1.EXE
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 548
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:1872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

    Filesize

    859KB

    MD5

    02ee6a3424782531461fb2f10713d3c1

    SHA1

    b581a2c365d93ebb629e8363fd9f69afc673123f

    SHA256

    ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

    SHA512

    6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

  • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

    Filesize

    186KB

    MD5

    58b58875a50a0d8b5e7be7d6ac685164

    SHA1

    1e0b89c1b2585c76e758e9141b846ed4477b0662

    SHA256

    2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

    SHA512

    d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

  • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

    Filesize

    1.1MB

    MD5

    566ed4f62fdc96f175afedd811fa0370

    SHA1

    d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

    SHA256

    e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

    SHA512

    cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

  • C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

    Filesize

    137KB

    MD5

    e1833678885f02b5e3cf1b3953456557

    SHA1

    c197e763500002bc76a8d503933f1f6082a8507a

    SHA256

    bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

    SHA512

    fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

  • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE

    Filesize

    899KB

    MD5

    80a2fab233077e3ef91d1b207a7f725f

    SHA1

    8d496e3fe85c347372eabd50a616327c78349d33

    SHA256

    a061bfaa92dd039806911a09d30b6f24553395b6af21ae4fa54d5e5ba85f3e3d

    SHA512

    d4b96b04d2a00f714d60d62f1d66592cb68249914047118e8a405930a1c2a489c0e8fc71f80ff6f0cafbae60bea6960d8b216a7b0c94316f3076640eb71217a6

  • C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

    Filesize

    194KB

    MD5

    623288b46813a3c1c960b801762a3fde

    SHA1

    c73da36974aac1c21f57afde8879a8c5fb7b6a4c

    SHA256

    65777f734ceaa4a20a594cd0b52d7a02ee9a200f01641817ad9526b79117c3ff

    SHA512

    573d760b64c417dac7d9e765766e38ae465f2c0c0d177933302731048a5f4661964e60676844e57780eb65ef94cbcde1378e75d8d0a30c6a26bc1413e43c3eba

  • C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE

    Filesize

    1.5MB

    MD5

    bfe8267cbc145e3230a3fc9430e3de1e

    SHA1

    505e1723d02274804942dc322f4d45c99a0d1a1c

    SHA256

    127e2cf254aa60bcc1e2bfc7f963afa92d57e8ea2a2b3d50f4fb5b4b73d089ba

    SHA512

    5c1680af090e8667e103700015e50de6174c13427f9fa4865d786170bd45b1c2733342bc8cf1e5b23830beaddcb99a21566b957e5cafe9b95fe36d8c5fb3567e

  • C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE

    Filesize

    674KB

    MD5

    9c10a5ec52c145d340df7eafdb69c478

    SHA1

    57f3d99e41d123ad5f185fc21454367a7285db42

    SHA256

    ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

    SHA512

    2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

  • C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE

    Filesize

    495KB

    MD5

    9597098cfbc45fae685d9480d135ed13

    SHA1

    84401f03a7942a7e4fcd26e4414b227edd9b0f09

    SHA256

    45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

    SHA512

    16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

  • C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

    Filesize

    485KB

    MD5

    87f15006aea3b4433e226882a56f188d

    SHA1

    e3ad6beb8229af62b0824151dbf546c0506d4f65

    SHA256

    8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

    SHA512

    b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

  • C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

    Filesize

    495KB

    MD5

    07e194ce831b1846111eb6c8b176c86e

    SHA1

    b9c83ec3b0949cb661878fb1a8b43a073e15baf1

    SHA256

    d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

    SHA512

    55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

  • C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

    Filesize

    526KB

    MD5

    cc5020b193486a88f373bedca78e24c8

    SHA1

    61744a1675ce10ddd196129b49331d517d7da884

    SHA256

    e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

    SHA512

    bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

  • C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

    Filesize

    714KB

    MD5

    3c86c25a76c1413747ae8851bead4bac

    SHA1

    9342be761a661f51d85fd49fa9b75818aa0c4851

    SHA256

    b7ff698e4395c9e682027bc710a529139dcc602d97e374fc294bcf5198073493

    SHA512

    e70376561100d6a4769bc91e4daa3c224ed39f8412391a5ee9b9cae83d08dd2229a25f9099f5336810a757d95b6e81faa30608f35d8761b1c4cc0f41313cb43f

  • C:\Users\Admin\AppData\Local\Temp\GOLDMD~1.EXE

    Filesize

    698KB

    MD5

    629775f1611ef29d58010526ea0d545e

    SHA1

    0531fb5c671af69525fac0630146dd41de47577e

    SHA256

    c37a3c2f010ebac9bc0d6b6e1e508db8e4fbf14faa2f5a0442c0de5f4e047d6d

    SHA512

    35241e6e1f5de93bb0700a6c7328270c034a20f52b8b802b0a9ec684b5e2f59f8f51d5eed3366611c045d18ca339638caeab57ea00f5bbd78750781db3ef3757

  • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

    Filesize

    8B

    MD5

    24e4c70a4c36903787c36989f3417676

    SHA1

    e760f4da660a985173436787bb17a333f2eb3d8f

    SHA256

    5c48cd2705ec16f488f8c958dcaabda106cad5d9b459382e2d54eb533a53fdc0

    SHA512

    a97428ea062b6a54e3dc295bf84a12c6b76b566fdb0e85e2abcded665c395821357e50aee52a30dfc4fabbb9160d116fd5a0eb73433a1af1525abf06e6327f78

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

    Filesize

    256KB

    MD5

    c4e4407b5fcf49586ddd5d5573ae4b95

    SHA1

    0f60aaaaac09d4f9273207114fcc78c0bfb250eb

    SHA256

    8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

    SHA512

    95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

  • C:\Windows\directx.sys

    Filesize

    45B

    MD5

    741026dcef1bb48ebcc8a83ddce6a580

    SHA1

    cd3be9c7763d465149fd0f2f535d9ba163b3cb37

    SHA256

    bdc0687cb6574a76bccaadc8ddeee871a6c94cfccf33a5cd3daf9fca075f80bb

    SHA512

    9753918f08b80449382ed6e034e32ca4b4274379325ffb84778d94f142bb24a541fb32b053843660a54488ba6f7e91158da9e2e64665649892c72a0af1beeb2a

  • C:\Windows\directx.sys

    Filesize

    48B

    MD5

    13d20397d30c4f57d19c6f91f508c428

    SHA1

    aa2e23063d0c06463b3fb413f8f00d14167ed656

    SHA256

    fefc438d5e8bc82800ea62abba3e29c7e5ef0bc39b3c21c95c0771d250d85a6c

    SHA512

    6f8ad574ec9e2978787c4da5b9121daa3357256abb74dbefc8a26ead0436eb878f57e0fef8d77112f0fc0c6c28f1d55034fa0cc6f10eeeb9eee8aca57b55a677

  • C:\Windows\directx.sys

    Filesize

    70B

    MD5

    d7e567ae5203de33887086506dfe9863

    SHA1

    2f12b5d6a9277eb89e2582fa05631646e0a9b236

    SHA256

    0cc680f73de15d57b6e5e5e5b3ae4399d5eb562d05ac15fdc5d2d9ed2b9d3e19

    SHA512

    182366404c69cf42a824804f941054f4a157904dfa6fa49b11f5e9ad72fb19ae7c079a4c0540788c8df630e25eac526e2bbb92e4933772c3bea6fe24380712a9

  • C:\Windows\svchost.com

    Filesize

    40KB

    MD5

    31052c3cc4c1c1afe3fe16981559432e

    SHA1

    d207a619803fb5eeb3535d74f459e5762251093f

    SHA256

    c495b442e561aa88a25ed83119dd245f08e25c1634f393e54a889ddfc528e553

    SHA512

    5fec934eb81e5bdf077fe66c7ff39e2c28b13db4512cf71e9c5b64ccb9f55c6ff86f43a805a999dc620c937456b950e5acfa7a21a765132f3d81e19adf2a6be6

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe

    Filesize

    1.0MB

    MD5

    06e5f48c88a1fce2165d1ec0d72b64f5

    SHA1

    ea4a75bd6da0faed696fe7408a2db192efd75625

    SHA256

    1ad3192018f0d90e08ac72308564006757eaa8319284c3fdd69003ad1a8ae7d9

    SHA512

    c8ec3a324bc34d2cbb6b6e73a5c952e4d7d2aa5d90ffda425d74c88c58a57533c6931f12c20e0fbf22d2d4d0ff594cc02eb08599b0bad68cbe7d89fa54bb5f77

  • \Users\Admin\AppData\Local\Temp\Setup.exe

    Filesize

    356KB

    MD5

    fa0b327abd82686bb9d676a30fa89b46

    SHA1

    a5521f5e8e500f67b183542ffad65b83ebcb186f

    SHA256

    d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

    SHA512

    ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

  • memory/1572-79-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1604-211-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1604-216-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1992-220-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/1992-213-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2168-214-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2168-212-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2200-7-0x000007FEF5A2E000-0x000007FEF5A2F000-memory.dmp

    Filesize

    4KB

  • memory/2200-45-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

    Filesize

    9.6MB

  • memory/2200-13-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

    Filesize

    9.6MB

  • memory/2200-34-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

    Filesize

    9.6MB

  • memory/2580-80-0x0000000000980000-0x0000000000A34000-memory.dmp

    Filesize

    720KB

  • memory/2640-82-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2808-81-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB