Analysis

  • max time kernel
    41s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 11:10

General

  • Target

    fb76a5b722405efc72c9965d527a8fd0N.exe

  • Size

    1.6MB

  • MD5

    fb76a5b722405efc72c9965d527a8fd0

  • SHA1

    4d23317bc62b3c0776bcb207fb29908ae5096e14

  • SHA256

    494b5c21d28798235ef25e80961ebd37021d609121a9b09b0c137bbfd9cd4812

  • SHA512

    90ba2ca6e9bf968e1e534397661b550dfbe68049e1a3ccf666338abb0915fc45ccd1b12b0fe81f0d16106e8b6081977a8d2e55f1005053e04844c05939167f6c

  • SSDEEP

    24576:yNsE09kEyTClJQ56C17Gf/VtsFVAVXCkaqtZpy:y2EKkEyTCDQwI7GHLsX8VZQ

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb76a5b722405efc72c9965d527a8fd0N.exe
    "C:\Users\Admin\AppData\Local\Temp\fb76a5b722405efc72c9965d527a8fd0N.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\3582-490\fb76a5b722405efc72c9965d527a8fd0N.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\fb76a5b722405efc72c9965d527a8fd0N.exe"
      2⤵
      • Executes dropped EXE
      PID:2140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

    Filesize

    859KB

    MD5

    754309b7b83050a50768236ee966224f

    SHA1

    10ed7efc2e594417ddeb00a42deb8fd9f804ed53

    SHA256

    acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

    SHA512

    e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\fb76a5b722405efc72c9965d527a8fd0N.exe

    Filesize

    1.5MB

    MD5

    c1d680ca95873d5772a39b93d3a9ab15

    SHA1

    f5352bb32a587f484211b43d0c023edb435d294f

    SHA256

    67e6d8bb2c99c3f87c02189fc48427fe8e9aaff37de7a2c98ac4be2204916093

    SHA512

    b9b53cdb30b9e7ed9bdc73e5d78c299287268bbcee34aeb0203584a3e95586ce349521bbb0eb940437050d7f05e353a359013873fcaf9af5ac44810def1edb01

  • memory/3000-84-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3000-85-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3000-86-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3000-87-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/3000-89-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB