Overview

overview

10

Static

static

10

65c51559a3...fb.exe

windows7-x64

10

65c51559a3...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65c51559a35715c766bfbff927e7fd1bbbe5668b6e8e433ac284ffebd3fa29fb.exe

  • Size

    135KB

  • MD5

    4f9e3ac0c4f0d133a6f267302deb676e

  • SHA1

    3459ed82b7945a5ed9716dc2c20bffc0872d27dd

  • SHA256

    65c51559a35715c766bfbff927e7fd1bbbe5668b6e8e433ac284ffebd3fa29fb

  • SHA512

    9a42990f9e75332a75b0ea9f7ef2adb837e8b27dc90f3c33ce42d116afef4797bfd1ba090b28190146c5b209dcc17deee12ff00fc7aff902367f7071aca2b778

  • SSDEEP

    3072:v5rCqOP1iYxpX58VcGp3/zsaMWr85C35rCqOP1iYxpX58VcGp3/za:v5ezrnOLs1W935ezrnOLa

Score
10/10
neshtadiscoverypersistencespyware

Malware Config

Signatures

  • Detect Neshta payload 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65c51559a35715c766bfbff927e7fd1bbbe5668b6e8e433ac284ffebd3fa29fb.exe
    "C:\Users\Admin\AppData\Local\Temp\65c51559a35715c766bfbff927e7fd1bbbe5668b6e8e433ac284ffebd3fa29fb.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsz8406.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
    Filesize

    135KB

    MD5

    4f9e3ac0c4f0d133a6f267302deb676e

    SHA1

    3459ed82b7945a5ed9716dc2c20bffc0872d27dd

    SHA256

    65c51559a35715c766bfbff927e7fd1bbbe5668b6e8e433ac284ffebd3fa29fb

    SHA512

    9a42990f9e75332a75b0ea9f7ef2adb837e8b27dc90f3c33ce42d116afef4797bfd1ba090b28190146c5b209dcc17deee12ff00fc7aff902367f7071aca2b778

    Download Submit