Analysis
-
max time kernel
51s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 04:59
Behavioral task
behavioral1
Sample
NL Brute.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
NL Brute.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
NL Brute.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
NL Brute.exe
-
Size
7.8MB
-
MD5
aa7a175b442aa64c84fb306979a4320b
-
SHA1
a7cd106acbc7675337977f55387b92145190eb1c
-
SHA256
b3c4140104b09723a786c120c921b9e46d7b50be5fb0bd4afa7bbb23069948de
-
SHA512
bab9d021d7d1efb24298cb66f29d1d2b716a8ea24e44891cc01a1a3249cf32bfdf1688cac70e33f336c2e70b967ae3e22f3855c9dafdeb2d1f67e6e98adb4295
-
SSDEEP
196608:CfP0p8Y4DFbBJ5dIa82Vou2j09a3XAydVdODHMD16UAsdf6:CO8YwFV/dIa8wp2j09qXAyYDHMDYrsdi
Malware Config
Signatures
-
Detect Neshta payload 5 IoCs
Processes:
resource yara_rule behavioral2/files/0x0006000000020228-21.dat family_neshta behavioral2/memory/4940-108-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4940-112-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4940-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4940-119-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
NL Brute.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NL Brute.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
NL Brute.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NL Brute.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NL Brute.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NL Brute.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation NL Brute.exe -
Executes dropped EXE 1 IoCs
Processes:
NL Brute.exepid Process 1096 NL Brute.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
NL Brute.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine NL Brute.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
NL Brute.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" NL Brute.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
NL Brute.exepid Process 1096 NL Brute.exe -
Drops file in Program Files directory 64 IoCs
Processes:
NL Brute.exedescription ioc Process File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE NL Brute.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE NL Brute.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE NL Brute.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe NL Brute.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE NL Brute.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe NL Brute.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe NL Brute.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE NL Brute.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE NL Brute.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE NL Brute.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe NL Brute.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe NL Brute.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe NL Brute.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe NL Brute.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe NL Brute.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE NL Brute.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE NL Brute.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe NL Brute.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe NL Brute.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe NL Brute.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe NL Brute.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe NL Brute.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe NL Brute.exe -
Drops file in Windows directory 1 IoCs
Processes:
NL Brute.exedescription ioc Process File opened for modification C:\Windows\svchost.com NL Brute.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
NL Brute.exeNL Brute.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NL Brute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NL Brute.exe -
Modifies registry class 1 IoCs
Processes:
NL Brute.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" NL Brute.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
NL Brute.exepid Process 1096 NL Brute.exe 1096 NL Brute.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
NL Brute.exepid Process 1096 NL Brute.exe 1096 NL Brute.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
NL Brute.exepid Process 1096 NL Brute.exe 1096 NL Brute.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NL Brute.exepid Process 1096 NL Brute.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
NL Brute.exedescription pid Process procid_target PID 4940 wrote to memory of 1096 4940 NL Brute.exe 86 PID 4940 wrote to memory of 1096 4940 NL Brute.exe 86 PID 4940 wrote to memory of 1096 4940 NL Brute.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\NL Brute.exe"C:\Users\Admin\AppData\Local\Temp\NL Brute.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\NL Brute.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\NL Brute.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1096
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
7.8MB
MD5025c1c35c3198e6e3497d5dbf97ae81f
SHA16d390038003c298c7ab8f2cbe35a50b07e096554
SHA256ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4
SHA5121d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50