Overview

overview

10

Static

static

10

5cba7c1d08...a9.exe

windows7-x64

10

5cba7c1d08...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe

  • Size

    868KB

  • MD5

    31ce659e1e8cb2bdd2b634332b2195ec

  • SHA1

    a2201f5e636d03091950c4e585420227b501ce3f

  • SHA256

    5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9

  • SHA512

    c5ce587d67f3e1880835061d61b0dc3fe8f6091a2a6038fc966d50995acbe9e9869c71f3f5cdaa4fd6b260a91c6500e0fc5ced90905684abf0510f2f81547839

  • SSDEEP

    12288:BpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V91dNDXBl2CUMS9:nJ39LyjbJkQFMhmC+6GD95DRYn9

Score
10/10
neshtadiscoverypersistencespywarestealerupx

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 13 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 34 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
    "C:\Users\Admin\AppData\Local\Temp\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:328
    • C:\Users\Admin\AppData\Local\Temp\3582-490\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Users\Admin\AppData\Local\Temp\._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2228
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2600
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
    Filesize

    74KB

    MD5

    50fa0999fdcb73093fd97baeb588da63

    SHA1

    aee58afbdb9728b7229d68face88d22f0c489b71

    SHA256

    eefdef80e5a5fdfe4fede76fb38f389e43aaea2029f76867951c1cb309fd0089

    SHA512

    4fcca37d3c566a3c81d0ac9d25942f85813b553f55acea3d70ebe7e3d6ba98fd5540edcd35eca72dccb700142b50477c6ec0021702c72c7569e17a0887b76e21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gHwF9Cvs.xlsm
    Filesize

    21KB

    MD5

    a1b56d1adc1216a182bea6f3497228e6

    SHA1

    784916969c067920e26f3258b1830c677c1b51e0

    SHA256

    f4934b470dd06fb2515026b559f21618073afeef5a2ca76272f46fe8b5a678c1

    SHA512

    0810fed30ab624c2cd46ebeb1202f3c5ff315ced43924846e418d33b5ff9002c328b68788c8aec33b60be6fd7860bd453849af1df0f40b9f788761064e6ab6d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gHwF9Cvs.xlsm
    Filesize

    25KB

    MD5

    1daa557f381974584e17766f8738fe59

    SHA1

    2ead12f2560bc0df78f71e406a3bcc01b87fab3e

    SHA256

    7b96b4a7d546fe62213daa58e9e4d72bfb259c3064c88146f7c9faf11a00dd86

    SHA512

    8301a93e2a43b19b6fc468004a2218380b58b32dcd46f097c60f665b94ba73bed7dcb98a56db58294ae39368496bdf67870b3c4ca02a58f1d90bf5dfe998767a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gHwF9Cvs.xlsm
    Filesize

    23KB

    MD5

    ce693ee87407c47a2334419e4cbbac4b

    SHA1

    fa573dff59577d2d4bb54202153383ef6f3516a2

    SHA256

    1c09322849d6d8cba34f747e6aee5dfda7e53c4268f4f9472b37a5b95eb7bf0e

    SHA512

    860bac2cf047c258f2ff856373e230840e0cbc27f4e7c7fbe3fa0f4ac5e7bc0ca3a11ffade7ec1bc872ae1e7d26b2ab99b9cefbf2c8875bacecdea13caec63c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gHwF9Cvs.xlsm
    Filesize

    21KB

    MD5

    1b980332558102741049ed882d3890f7

    SHA1

    87d39d68af1853babe9f16ed3d5c91f87a81a9b0

    SHA256

    d408e6b91a2bb99ff152cfedc39fbb7a1c0003d8b2791f45bed8d75f46ae5cda

    SHA512

    cfde0d327b11d4c96f1f3a3c27af5687c973ec960c01c8a5e1c9610215660c2e6a2d0bb25bb088dc24996a1273aa83bcccbbfe8a1968a4fd3cf1385ffcfd2d34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gHwF9Cvs.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\gHwF9Cvs.xlsm
    Filesize

    26KB

    MD5

    78e0f05dec058ebb60e38dfd22341995

    SHA1

    188409eeedd62f2753b2dc94748cafbd6f6938e6

    SHA256

    e2d59da23ad83244e537529e94b2a67e60257746c3ae5a6b67f7a19d8342d2d2

    SHA512

    09cc6ac3419a0767cd8b385261005d1768b1ea660938abe91b32e6d423e6c3167fb5b85dccec71e9e218a31b78a5d76f847881522d223a62b9a120f91672a754

    Download Submit

  • C:\Users\Admin\Desktop\~$OpenBackup.xlsx
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
    Filesize

    828KB

    MD5

    7d5724acae0035a43ce2e1dbd26ad922

    SHA1

    983f2ad2a4ba4a583642d60fd38037037a11145f

    SHA256

    1c64ef3803d7117182aa028dcae107a4f37af2662df8b7935ecf5cd99b75b948

    SHA512

    04d524c750d9d54ca1336361fab53c33ebcd1a625363546e1d0e1603db43c9854ca7325ac1e00da81a4e5853aae4c98d0caf148752411ab0663990b5eb6cc695

    Download Submit

  • memory/328-231-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/328-137-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/660-142-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/660-229-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2064-14-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2064-46-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2064-26-0x0000000004020000-0x0000000004051000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2228-134-0x00000000048B0000-0x00000000048B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2228-37-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2228-136-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2600-135-0x0000000005060000-0x0000000005062000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2600-138-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2684-76-0x00000000040F0000-0x0000000004121000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2684-140-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2684-233-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2684-236-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2684-280-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download