Overview

overview

10

Static

static

10

fea19be567...4d.exe

windows7-x64

10

fea19be567...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2024 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe

  • Size

    715KB

  • MD5

    0430de07aa9b4a4b1c4aa79e9ef75678

  • SHA1

    9fa8b27f795673a99ab78cc4cb805693b14116f8

  • SHA256

    fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d

  • SHA512

    36d72352a02d685c1f60728a3a4a748af7d93a4b0f93328ff326ff670b511d287050f80f2229d82824a99295e6235f6e8098618635308e93537bf9812a1cf9d6

  • SSDEEP

    12288:jUNDaKUNDa8/J+CtaxnjZpAbxdxDcWcnR4bfXfwiSeiw8xHgbYpj58NO0qwxeWf0:jOaKOaAel3+s0DvfeUYqcZQCGm4YfaQ

Score
10/10
neshtadiscoveryevasionpersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 19 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 10 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe
    "C:\Users\Admin\AppData\Local\Temp\fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\3582-490\fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2836
      • \??\c:\users\admin\appdata\local\temp\3582-490\fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe 
        c:\users\admin\appdata\local\temp\3582-490\fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe 
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3028
      • C:\Windows\Resources\Themes\icsys.icn.exe
        C:\Windows\Resources\Themes\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2936
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2564
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2620
            • \??\c:\windows\resources\svchost.exe
              c:\windows\resources\svchost.exe
              6⤵
              • Modifies visiblity of hidden/system files in Explorer
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2864
              • \??\c:\windows\resources\spoolsv.exe
                c:\windows\resources\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2264
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:04 /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1216
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:05 /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:576
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 08:06 /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2628
          • C:\Windows\Explorer.exe
            C:\Windows\Explorer.exe
            5⤵
              PID:2932

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    3
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
      Filesize

      859KB

      MD5

      02ee6a3424782531461fb2f10713d3c1

      SHA1

      b581a2c365d93ebb629e8363fd9f69afc673123f

      SHA256

      ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

      SHA512

      6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

      Download Submit

    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
      Filesize

      547KB

      MD5

      cf6c595d3e5e9667667af096762fd9c4

      SHA1

      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

      SHA256

      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

      SHA512

      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

      Download Submit

    • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
      Filesize

      186KB

      MD5

      58b58875a50a0d8b5e7be7d6ac685164

      SHA1

      1e0b89c1b2585c76e758e9141b846ed4477b0662

      SHA256

      2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

      SHA512

      d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

      Download Submit

    • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
      Filesize

      1.1MB

      MD5

      566ed4f62fdc96f175afedd811fa0370

      SHA1

      d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

      SHA256

      e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

      SHA512

      cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

      Download Submit

    • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
      Filesize

      588KB

      MD5

      c275134502929608464f4400dd4971ab

      SHA1

      107b91a5249425c83700d64aff4b57652039699d

      SHA256

      ca5263f340cc735ba279532bbd9fe505fcf05d81b52614e05aff31c14d18f831

      SHA512

      913cadcb575519f924333c80588781caecd6cd5f176dc22ac7391f154ffc3b3f7302d010433c22c96fde3591cac79df3252798e52abf5706517493ef87a7ef7d

      Download Submit

    • C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE
      Filesize

      606KB

      MD5

      9b1c9f74ac985eab6f8e5b27441a757b

      SHA1

      9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

      SHA256

      2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

      SHA512

      d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

      Download Submit

    • C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
      Filesize

      495KB

      MD5

      07e194ce831b1846111eb6c8b176c86e

      SHA1

      b9c83ec3b0949cb661878fb1a8b43a073e15baf1

      SHA256

      d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

      SHA512

      55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

      Download Submit

    • C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
      Filesize

      485KB

      MD5

      86749cd13537a694795be5d87ef7106d

      SHA1

      538030845680a8be8219618daee29e368dc1e06c

      SHA256

      8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

      SHA512

      7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

      Download Submit

    • C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
      Filesize

      714KB

      MD5

      79adf9924b96c1cb9ef365475baacff6

      SHA1

      3787960ea7487e697fdfb3ea58477279849bef21

      SHA256

      91c14f4aee2af47657b303ee322ec7951a300939170cda293ca1d2c40b2ffd9e

      SHA512

      3eb1d39f009c62187ad6005e6d6942d508eabbf8956b0e76ddd631fdeef594f484655c70ece044489d905236eccdb5846a2a6f35d81d6f7ca307ee1149e12d96

      Download Submit

    • C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
      Filesize

      674KB

      MD5

      9c10a5ec52c145d340df7eafdb69c478

      SHA1

      57f3d99e41d123ad5f185fc21454367a7285db42

      SHA256

      ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

      SHA512

      2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

      Download Submit

    • C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
      Filesize

      536KB

      MD5

      c1d222fe7c6311e0b8d75a8728aa4ce7

      SHA1

      fe5ec004827c9ac8ddc954fabcfc1e196f49f340

      SHA256

      ea992e36be623bdafce1062dba476a76dd4b72bcb9173431519227a07b462d18

      SHA512

      0a209fe566a12274bac9e11937f6aa459f13e73658d6fff63db8fe9b654e9e87aa0406e3454d68ec1897b0465a9c7d9348f45edff434856736bdfa4445e34fa3

      Download Submit

    • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
      Filesize

      485KB

      MD5

      87f15006aea3b4433e226882a56f188d

      SHA1

      e3ad6beb8229af62b0824151dbf546c0506d4f65

      SHA256

      8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

      SHA512

      b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
      Filesize

      8B

      MD5

      f6c4a7422f0afd8ff3e92f5e76a730b5

      SHA1

      287b99bb8ce331135579f7eaa70f7e08dd493ab8

      SHA256

      ac69d2c04bd788bcf27c0ab5926db5229d6bbfdcb763a812e44fe7c6f3d92616

      SHA512

      a0c30e45f8a1a06a735e574046d71e910e7058116b4e49ea809a018658c67a2a496c5e51a6218801d6e8f0e92c49a63a4229f543aa669897048339b60cc10cdd

      Download Submit

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      8713717091cf3d0283b257993dffa5bc

      SHA1

      2d7e22c623f75fef7794632f074f2b95d5a90ef9

      SHA256

      6184b4f73bd1d22fcf8d27826a693e445b62bac478d7c571c95b89f293995c21

      SHA512

      90eb1c3fa3aadf23009b7885b2864a1e027914e2a2419572c4e8ceee642cb2d51f5c17306a268712829bde351c32746561d76b95509dd3b9fb9680e42501b2c5

      Download Submit

    • C:\Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      16f88548bec2fba9845e64ce664028fa

      SHA1

      c651e7e41cce1f9ab7762eeda20a3e13a01c4748

      SHA256

      5ae090494ba5608a87ab576f7bd5b896de3cbf596783e550af161cab479f3b56

      SHA512

      c267b861fabe284e92a02b1bca4daaa587e064257930b27eb2d4ca893d4571966cf1e7212a90cb6d8aaf89065c892bb29f621fcbb3e258330bdbb87995a33e03

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      162ee8bb58de7bf2761c7751c2c14987

      SHA1

      7b54af46b68f8502a50443be7e4720025331a29e

      SHA256

      811f3eb43abec99e7ad4fb87127bd97e12c6baea85209b2db323afd2f78c5bd7

      SHA512

      17c73333f117d94ee78969adfe1c27ccf394aa720e1ef6fc8c6283c5a3ba1ada65ecbf7aaa3b469fd88a9563930f97b150c25aa8b85cd84995c2dd7a9d0dc147

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      571ca4858311e6dd0fc2a14899ba566c

      SHA1

      513cf96b8eb36be29bf7fbda2b8dd06c8bd9157d

      SHA256

      15171a0ecb8b6b661c90c409542eebce2cddeceacc7e549b9677b2e566f0444a

      SHA512

      66d613703aa12b17cb331b8101662ec8d067c4004f613b4ddd0e45dcedeb4a355a785320a334fb723a6c59d902c3bb37346d27ae44170fdafac8b47645c54742

      Download Submit

    • C:\Windows\svchost.com
      Filesize

      40KB

      MD5

      01b098bef9aa903747bf47546fba6701

      SHA1

      ab5ef2723900fed391f4506a334d4c8805f455fe

      SHA256

      726f0e85854d4ecab4f7f3d04b2e97e5c05223f6edd642d198170a5f22a8e7b3

      SHA512

      84c107f671f1a7fcb3effe47412fff0223c8896bab8c44222cec348fade7ff35061b1eec1449a921c51c5fdd6807ef6f42809a30c4bab5bb13a3cc3229bbf739

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe
      Filesize

      675KB

      MD5

      2997121dc072ccd662da2bcff2a7faae

      SHA1

      3454095d1c78f02ac32f56b2aace43f708a73c7b

      SHA256

      46dc48326b4d4b91ce937783d49b479a490a2ee1964106a08925b2a33ae14712

      SHA512

      4349c8433279af374a8a00261c6c2942c52a55a41c75ad0e982ced4501712e4799f2d2f9ebfb78c8b623ba057f09509d296236d804b86af3c7ed26a594318176

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\fea19be56706d18881f60cb8ea3411bf696d1ecf58fb1c1c4746c0db60d38a4d.exe 
      Filesize

      539KB

      MD5

      f95c9963de0799c6f158793cd620032b

      SHA1

      c9c084d7a2c5024d715c33fd73b31dfa64a248ab

      SHA256

      8c9c96ae3d4517ebd02c3c42fd9540fd23405b40e04057f3d517969e0f5cddff

      SHA512

      cd7724a8735fc5c06391a3b3ece9b7ad8cfa48b9674540d3d97d60efbb3ae7bcad96044367541de99c7edbbbe1266f4b52d8f57f572dee918ec7d00391150ba5

      Download Submit

    • memory/2264-78-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2564-52-0x0000000000680000-0x000000000069F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2564-203-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2620-79-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2620-63-0x00000000002A0000-0x00000000002BF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2720-4-0x0000000000590000-0x00000000005AF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2720-196-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2720-199-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2836-81-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2836-30-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2864-204-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2936-40-0x00000000003E0000-0x00000000003FF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2936-80-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3028-202-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3028-197-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download