Resubmissions
30-07-2024 22:59
240730-2ynw5ayajh 1030-07-2024 22:56
240730-2wvlwsxhma 1030-07-2024 22:49
240730-2rrpfatbrk 10Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
30-07-2024 22:49
General
-
Target
05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO/OperaSetup.exe
-
Size
2.1MB
-
MD5
6c01a631f7c31ce735c757a33537e95b
-
SHA1
60bee89ee0f2da909c83d2e71413afdb2c4e3648
-
SHA256
7f1b8f48b9b9e7a43b4689e2d4fcf0ace7a251e4801d5b0d666414e7604359e0
-
SHA512
6e1d49190afd096ddf469273e8e59531fe7a951ca262d6b90035f69c6510e6c949fcb781fa6031f47b81016654b832544563c9b124165e3a18b23bb3311101f8
-
SSDEEP
49152:iNEyYMnDfIZ54N+FVbKDR5s5R+M8nAZWVqNmHhO:4EIxO8s5R+MZhQ0
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\OperaSetup.exe"C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\OperaSetup.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\OperaSetup.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\OperaSetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\7zS4417E7D7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4417E7D7\setup.exe --server-tracking-blob=ZTJhMGM1ODhiNDE1ZTFkM2UzYzUwYzQyNWU2Njk0MTdkMzVkYmE5ZjMyMzc1MjZkNDFlOGVkY2M2YWNlOWU4Njp7ImNvdW50cnkiOiJDTyIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYVNldHVwLmV4ZSIsInByb2R1Y3QiOiJvcGVyYSIsInF1ZXJ5IjoiL29wZXJhL3N0YWJsZS93aW5kb3dzP3V0bV9zb3VyY2U9YmluZyZ1dG1fbWVkaXVtPXBhJnV0bV9jYW1wYWlnbj1Xb3JsZHdpZGUlMkItJTJCU2VhcmNoJTJCLSUyQkVTJTJCLSUyQkNvbXBldGl0aW9uJnV0bV9jb250ZW50PUNocm9tZSUyQi0lMkJFUyUyQi0lMkJCcm9hZCZodHRwX3JlZmVycmVyPWh0dHBzJTNBJTJGJTJGd3d3Lm9wZXJhLmNvbSUyRmVzLTQxOSUzRnV0bV9zb3VyY2UlM0RiaW5nJTI2dXRtX21lZGl1bSUzRHBhJTI2dXRtX2NhbXBhaWduJTNEV29ybGR3aWRlJTI1MjAtJTI1MjBTZWFyY2glMjUyMC0lMjUyMEVTJTI1MjAtJTI1MjBDb21wZXRpdGlvbiUyNm1zY2xraWQlM0RlNzBhYzdmM2U4YTQxY2ZjN2U5YmExN2U3YzkzODEyOCUyNnV0bV90ZXJtJTNEaW5zdGFsYXIlMjUyMG5hdmVnYWRvciUyNTIwY2hyb21lJTI1MjBncmF0aXMlMjZ1dG1fY29udGVudCUzRENocm9tZSUyNTIwLSUyNTIwRVMlMjUyMC0lMjUyMEJyb2FkJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJmRsX3Rva2VuPTczMTIxMjk5IiwidGltZXN0YW1wIjoiMTcyMDU1NDU2Mi42ODA4IiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzEyNi4wLjAuMCBTYWZhcmkvNTM3LjM2IEVkZy8xMjYuMC4wLjAiLCJ1dG0iOnsiY2FtcGFpZ24iOiJXb3JsZHdpZGUrLStTZWFyY2grLStFUystK0NvbXBldGl0aW9uIiwiY29udGVudCI6IkNocm9tZSstK0VTKy0rQnJvYWQiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS8iLCJtZWRpdW0iOiJwYSIsInNpdGUiOiJvcGVyYV9jb20iLCJzb3VyY2UiOiJiaW5nIn0sInV1aWQiOiI0ZDhkNDM2ZS1jOGE0LTRlY2EtOTZkNi00NDYxMWI4M2M5OTQifQ==3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
5.2MB
MD55b591929769effed06e395c91c7ca453
SHA1caab87c0d3011d6deed74308e51ec530f7c5eef6
SHA256d927f1cdb6c5ac43386c213d7d7aca13c6b5e403cf35bf8d598c3839bbc66fab
SHA512a30f8fe5f4532457c0bd9070c0fcf2470207edabdb1f11698b6fc788442e9f04dd1e2a738b098e5488dfe736418d0b7f1ccd21bd9348108e54e88be1521a5cac
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
2.0MB
MD5080bf22fdb2e1db7c9bd20433b1fde60
SHA103c250d60170c9ed13dd475ca44b5439a34e8813
SHA25617ce89c377997b79f5de5d83d72e700b79b9bc7fbbff2c55c36fed74cb9699be
SHA512285eedf2742650d18d6f7d489901cb92472fda95dece3a473aded805a55a7419cf11bb2d801299cdd9ac29b57586889d4d4b87589fe0c62398ac3456821b0617
-
Filesize
108KB
-
Filesize
108KB