Overview

overview

10

Static

static

10

NL Brute.exe

windows7-x64

10

NL Brute.exe

windows10-2004-x64

10

NL Brute.exe

windows10-ltsc 2021-x64

10

NL Brute.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    50s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-11-2024 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NL Brute.exe

  • Size

    7.8MB

  • MD5

    aa7a175b442aa64c84fb306979a4320b

  • SHA1

    a7cd106acbc7675337977f55387b92145190eb1c

  • SHA256

    b3c4140104b09723a786c120c921b9e46d7b50be5fb0bd4afa7bbb23069948de

  • SHA512

    bab9d021d7d1efb24298cb66f29d1d2b716a8ea24e44891cc01a1a3249cf32bfdf1688cac70e33f336c2e70b967ae3e22f3855c9dafdeb2d1f67e6e98adb4295

  • SSDEEP

    196608:CfP0p8Y4DFbBJ5dIa82Vou2j09a3XAydVdODHMD16UAsdf6:CO8YwFV/dIa8wp2j09qXAyYDHMDYrsdi

Score
10/10
neshtadiscoveryevasionpersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 4 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NL Brute.exe
    "C:\Users\Admin\AppData\Local\Temp\NL Brute.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Users\Admin\AppData\Local\Temp\3582-490\NL Brute.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\NL Brute.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\NL Brute.exe
    Filesize

    7.8MB

    MD5

    025c1c35c3198e6e3497d5dbf97ae81f

    SHA1

    6d390038003c298c7ab8f2cbe35a50b07e096554

    SHA256

    ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4

    SHA512

    1d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50

    Download Submit

  • memory/2892-134-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2892-132-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2892-128-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3508-124-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-13-0x0000000006040000-0x0000000006041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-15-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-14-0x0000000000401000-0x000000000081B000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3508-30-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-56-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-112-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-12-0x0000000006050000-0x0000000006051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-125-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-126-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-127-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-11-0x0000000006030000-0x0000000006031000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3508-129-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-130-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-131-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-10-0x0000000077536000-0x0000000077538000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3508-9-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-135-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-136-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-137-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download

  • memory/3508-138-0x0000000000400000-0x0000000001C9F400-memory.dmp

    Filesize

    24.6MB

    Download