Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 18:19

General

  • Target

    80b488ad8cbe9ad102171b5bb9f5f2437e1c4351cce0ae8278f1a0de8d4c0e5aN.exe

  • Size

    3.1MB

  • MD5

    b33401ccbd7df90fa9c62a08f6e68ff0

  • SHA1

    a472dfc278d1fa835dbd1ed36b67ff5f81d0d43f

  • SHA256

    80b488ad8cbe9ad102171b5bb9f5f2437e1c4351cce0ae8278f1a0de8d4c0e5a

  • SHA512

    0205ed325792845a885b593a4efc0c802381c5345be61994337f5fcce166637d8a93e6e3f3614ce8ff70d8dde13928cbc3b8b29332ffbc835888bf7ac354f1d1

  • SSDEEP

    49152:JmQNGDaYknGIqya9J5aAUNin0VvfQqizjKlOtaqq+G+:dGCWJa5

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80b488ad8cbe9ad102171b5bb9f5f2437e1c4351cce0ae8278f1a0de8d4c0e5aN.exe
    "C:\Users\Admin\AppData\Local\Temp\80b488ad8cbe9ad102171b5bb9f5f2437e1c4351cce0ae8278f1a0de8d4c0e5aN.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Users\Admin\AppData\Local\Temp\3582-490\80b488ad8cbe9ad102171b5bb9f5f2437e1c4351cce0ae8278f1a0de8d4c0e5aN.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\80b488ad8cbe9ad102171b5bb9f5f2437e1c4351cce0ae8278f1a0de8d4c0e5aN.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

    Filesize

    9.4MB

    MD5

    42f04c348bd2f3660ae1a7d0f42c7ac2

    SHA1

    73eebf51d35ee8dbffaa0c0dfe49df2b8351a526

    SHA256

    d9ee58eccba70f298ea614b67ec364995b1b5bb5ab6454acb90da19357a83e60

    SHA512

    a76354b91cd63b806510c26f47a75b156288bacc75c002b63c21bfd99b608409cf51a4d63c5baa02b1b757e7250c666aacd496e54b91e1d66856ea09f08d72eb

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

    Filesize

    386KB

    MD5

    fdbc5bb0dc123c2e937c3411e4deb81d

    SHA1

    49d95fb7da0cad2db097463f8bcf19dec4dc2dad

    SHA256

    29572d4fc72e987613358da2ea733b26ae28cec57f1ddd267dcc087b2a182fe5

    SHA512

    a24ff084e452459ec5358b0af188f84155fbae105619d0ec5a25a1601bfdb85cec1623deb92c9e625d65cc5b812344a69129bfd57a09306e67ed3b34d15464ca

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

    Filesize

    92KB

    MD5

    431f24d0c8232ab8f10c524f63c9de52

    SHA1

    e069e3ad9d537fe903df58ab4954253d25eaf17f

    SHA256

    2d0a8fae3ef1b233d3533e0ff73a91d31c47c5b4d17951c5a2ed781d08af29a1

    SHA512

    c14dff99e1ebc0116a5080a933cd8e467a5f04d0bdd80d80908cbe9b9ca687cbffb32ecda01448f050126b1a2d1fd1775543a5e39104ac5ffd36293982ce2ed0

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

    Filesize

    142KB

    MD5

    1d94002d052e81b95e9c277d2c850cd3

    SHA1

    f357df61f2a8c2c1c94ac8091581ecdad3f16cfe

    SHA256

    df32395c491e6d6109d36adf41d99b16e5fc0c6b450334fa726c4236937b5386

    SHA512

    efaa49d6bf323446aaad05651eff76182b5e418ca9602858823ce1bf2ac7479d3a87e929fdfb7f0306aeac5f7a508dc8e9229a447fcb291519c03e98b70165cf

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

    Filesize

    278KB

    MD5

    13ecf2459197c4db93996a0e20826151

    SHA1

    7b1edc0cca3f9ea03d43f591705d5568d59d411b

    SHA256

    144969846889a10588295231b13f2d94788f5e529b22b72bb77e19b93a3e9b82

    SHA512

    e9f547c560dbe4e078e3c9fbe73c2a5a4aae7b13bb64f88b503146c43fe67dd268ff1ff9bdacc4072797ecec322fcf2cf24e9d5da44cfcd35a566df0951893a4

  • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

    Filesize

    454KB

    MD5

    29549c69230616530b885a1803c54284

    SHA1

    f5868d19a6908853e857bd0b0fa2e0c1f75f28fc

    SHA256

    d0cae5d77ce52451eb90e3f729a63efc8bdb33e5a7aa5c7dea14e10b190b0fed

    SHA512

    6d792ea8ec0f2b6961c76c883021490ce52dfb6a3f620c929b184e978935267f82f45ef45400c5597d5bac76f51853ba41cca8fb7de7638ee605d95204df6cae

  • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

    Filesize

    1.2MB

    MD5

    6443d350fc468cb12d003b9f90b29bea

    SHA1

    998353cc170802e82dce38ea8aaa38446c227ab2

    SHA256

    4e19bd1a1f4f94bae7abfe281c8e2f673771fc0c27c7a0bb8aa8ffe563361a90

    SHA512

    ea94fdcd0b1625bc402764e507e666b76502f68ac7e3e245830f6998ca8ff810115951639d5437353b1b76ff55e88f1db716c26f3c8f7f53aca49c067d844ab9

  • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

    Filesize

    555KB

    MD5

    35810802765c405f0d5127cc94ab9c36

    SHA1

    78d1df8945cbb4dab13216cef7cfd56d6be9ef6b

    SHA256

    68afdf057359fa69829101cc530af5cb2b7cd9960faf4d1a623a303b4ae46d53

    SHA512

    1098a1b2c6b9fcd6d0541ebbb38d52dd653ea3c5d05ac59b325745590b7782ded610205431b7b5d2ef165254c3ac6e83863560afd773330fa5cab8f07a88a694

  • C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

    Filesize

    325KB

    MD5

    87488f2f43b70c6c226adddf038ebaab

    SHA1

    8f92697c535af54ef174853c63ee0cb4fffcf251

    SHA256

    e6e438c4c686966749b602be207393e00abc1d9076ea564d0eab1113f6b6be79

    SHA512

    90eb1f8bfa61841bd5687b8bc752af6e017bfb332a2b45d5b8f49b3bb37178327dd23aad15cdda1731f5e42dfc8b59c9af84f7397049e6724e870490d2a2a41b

  • C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

    Filesize

    325KB

    MD5

    ffa6ae66d0062b01f49bbf4383d6c8c9

    SHA1

    87c4ab334bcb5ae5d78a7fffd44f9ca155494ea1

    SHA256

    57c54f040af99ebc1f3adf77c76e9c9a770a70738c8355f41cdf57abc3de2999

    SHA512

    0cc91c13177629bc38b7b6b121fb3638c6c56a2abf848be9fc93b5b71448d4e00256244a3582f8b82f4f3a11e60568c58c3a3b00c037298b0a3508f7fdec55a4

  • C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

    Filesize

    146KB

    MD5

    e741d3ec1deec3d22001c74cc47c6fde

    SHA1

    8632be6809b5dfc0c8f62ac9fab778ea83ece9b4

    SHA256

    9b009690823ecb944075619bfd0a9b8b829113024549d5d97988347a1820ec37

    SHA512

    cc7b793ce45fd21f71b688b7ecd8e3b6129a3de68fb74b10910438df5d288ad9a989d13c77016bfd73773754c463b5ccb7093248b8a2298da2dbb77926b0a31a

  • C:\PROGRA~2\Google\Update\DISABL~1.EXE

    Filesize

    198KB

    MD5

    ce29575b45e0f32aaa070e5f4ac58f43

    SHA1

    b1ca2c05aab43f078fe5a7a90eba5634814cfb3d

    SHA256

    39cf1d173373038e0a4dac32e7b7c9ee91cbd86a50c9f4d4ce5ba288bb1c1a21

    SHA512

    8cfa86dcd17c4b45a172fa3a8d1efcd1f15591c26baa89dc7404bb3d1303107be9a3bb1f589ca6da4453b8b39e791f7bfca1684d2a9eb35fb748f927b2b9b38c

  • C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

    Filesize

    250KB

    MD5

    2ceb9dd483bc7a600af7854b9bb447d6

    SHA1

    e19a52069e0356418eb6cad6b7d6eabd66ccf0f3

    SHA256

    79790c8ab802120479be0c77ffc25c0021f8f74ceebd5d2cab7f10787723afdc

    SHA512

    5238a07dbcd5710ddffbdee1683e6ba5f5a8e423a2b54fa2f3c82122d19a0221c280fc48e400a3a1f1c3c8e705c69bb0be6a49ebdebdbc5883c42ae02e4face0

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

    Filesize

    509KB

    MD5

    6a92cf7512d0e48868245de03a1560c7

    SHA1

    e10e687a23e93ef7c6a1ebedb130411eea15d32a

    SHA256

    b34225fe27ed0e6242f32d6867f2d5ce62e86ff9c893c4ccfa86dc1ef8eff9ba

    SHA512

    f8639dc6bced9ed29f14ee280e9da9019b267eeb3bb4c278f9e4c009e4e38710d9a22d078d814c5e47758ddbe6503e37674f143d073977947654633b626e9707

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

    Filesize

    138KB

    MD5

    5be27c265ee1d72b79459a136eea29d3

    SHA1

    4c2ff3c419d03711ff4fce8c3a573acb78da1cb4

    SHA256

    0c511b274faf722d3f9c1a74e2bf027bf183c3c7c2f6fb8d3ea717da73efdc2c

    SHA512

    b307d7351965d1d12b829cf0496c667de81d9e97c62c6a08e65614eea35d6d8b00792b45103cacfd56b5afc27034e165472b49fa0888a1bf5ed78b8bf79c7ce9

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

    Filesize

    2.8MB

    MD5

    880ea78588ba0fc72204b95a9d3d04ab

    SHA1

    3a301e63f04935da57a93057c290f8ba39c57494

    SHA256

    49406436a1f3c19b0dbddf460b209d1efb067b0274e91cac9cc24176c036710f

    SHA512

    c7372eb6385a79db3c03cf5b5ad10e3db299ebb4b4d20596294af016c9d53b1ab25945d0b78d497bd811792541e33293e7eb7fc8fdf9051ba8f1901174d35b8f

  • C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

    Filesize

    3.2MB

    MD5

    0d108f185b8a8b0c012620e876bf6178

    SHA1

    2afd7069968e4f0d28a937379c23a21712f22187

    SHA256

    5a9da540cd481c8e09548c6d0f3dbcc56035ac7f3071b9f43e782afdf41e3b4c

    SHA512

    f61526f1a4a0d37f1f975ae059fdb5b4d99b45952a31d7ccaa03ccc404436d10616634d97efe1c2a3fdeb36c81905a2bfd9ccca1d7cb7ff58968aa1f74bb0dbb

  • C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

    Filesize

    274KB

    MD5

    dc8781dd01f7d5ae9df608a0e0a7453b

    SHA1

    b7c6a862e964ecb7e159170de7c6935d2b0c0af6

    SHA256

    8d18e0a5742c08e966763f33076af3a25934be2bafcc9cf9219a86f5b8306bb9

    SHA512

    d8ec1597c9600f76328f59b52d7f19edc04ab433b7b996268e6e804c878ab91ce8b21f76299da4404c014b7189d21711f23c19c0aafc68b4e0b279272e127edc

  • C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

    Filesize

    494KB

    MD5

    6aee90771b10e7e1497b9bdd0ecfa55b

    SHA1

    612a5633f2f55ae307002b043bf0b2c642db54b8

    SHA256

    60f8bb0fa9a4e6cd972f0d8eef0287545a4958fbbfbdbc5ba614fdb895faf61a

    SHA512

    1665a99def807dfe69093c60e789b9a06f6f3a678985dcec3aaeb058fb804222c05d8112f5ee16a990e42de295e88c06b1133a29f498f9fcff2d041a85338fcb

  • C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

    Filesize

    650KB

    MD5

    cdc1be452c450de1f77f492e586fff43

    SHA1

    259e26c94226b25faebb952ae97c448ad992ebe7

    SHA256

    a7429d3d6280c97e9e95c101327ea62e626e71e669a533b122836fe0e54869df

    SHA512

    a01f360504670f29e2dddf59a143d332960e748b5dd9738e68f23f176287d726a0037c7d5dc45baa3aff8a15ee7be00af551fb58601ba490472002e5a9bc8875

  • C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

    Filesize

    495KB

    MD5

    faf450977929876b9c827d6542643999

    SHA1

    0a5c4da101006443115470f7e9595ee242180afa

    SHA256

    ab6b4b545383e2f7c51be225e7dc6b41ab931f43232972fe6934e7c3b678aba9

    SHA512

    2d5b57551dc1b9853a9c9fac37b6cd67a94bee2397464414c87fea8bfaf74285eb2b83c821a10308c41ba0c83ad4063fd86752eaa4a1b9d00bfa29cad3643bd9

  • C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

    Filesize

    6.7MB

    MD5

    3405e5146acd1cab91b2beb52b657026

    SHA1

    03d5cf1234d826445af4136dca9783f8796af7c9

    SHA256

    588792a07fd8b6f463bdbd932b94feffec199173fc28355f175fd5320b4038a0

    SHA512

    1e101a01f258d0843981d2cf851a62b838471e01d52eac146c02f66b562255a44565cb64b5697fd666aa1226ab37099c5843395f45476460938b6c8822990486

  • C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

    Filesize

    485KB

    MD5

    5ebc8c778e62c629440b8ae99a00b32f

    SHA1

    57dc54373d109bcf89d756053167eb9a193aa703

    SHA256

    f0601c0d2cc70c2584f4b4cf1193e9374c5e7795ad223458ad5ecb1c7fd6078d

    SHA512

    03e7781de4c8e62059b248a7096e14e04e55ec202fd48ed35606950248ed4a566846d15b72fca1d1a1df6845532b800aa756edd50faaa23a2031b064d11d2820

  • C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

    Filesize

    674KB

    MD5

    ed615f104caf3369a06385ffc98ee0f4

    SHA1

    67b15c391dea2fa1cc26a25f6ea4f1d6333f0349

    SHA256

    9c19d05946f33c5dfcb096f52c7ab302ddf113c4d228b8155e1c5864ed5c0b66

    SHA512

    24daf94f488a80d35944530da53d069a81a28befe0e24327f397e321e6367a4e7dc9ef02448fa5f14da7e7136981133c0a053a245355d6841a4134a4bc425057

  • C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

    Filesize

    674KB

    MD5

    dc5a6d91c1f96f5148dee0c0649a2aa9

    SHA1

    1399d72eed6311bf705e1e9978a676ca51bf6359

    SHA256

    2373346e1e04b8dc5df5131eb82f7d45496e97155558625f3ac46a5579ecb866

    SHA512

    5d8c9b75c8907087bb116393ce6456a8a6ae489f2fed99ef9b1696a75373d30678151e6e5d8c6cb62cc93c1e1dcc8a8ce3a29f67a7aa3ad60bd143b4fc0aa3b5

  • C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

    Filesize

    495KB

    MD5

    aa6fb5090ee47744156cf2a097312dc7

    SHA1

    a9898494a944961e348a3c5ac454a403909051de

    SHA256

    d7b49a8746384ac3311eb834bf8c86ec401f093720dee50d34783c6e66ad2252

    SHA512

    049daacbd9fe3ccbb1a23c07f5b8437330258667ddcaf5a3a215745e763b0354f0906e1d72bc0a612ce90d32ad4ee33b8ad44e987b75e6a4f5dc1d485df17184

  • C:\Users\ALLUSE~1\PACKAG~1\{63880~1\WINDOW~1.EXE

    Filesize

    650KB

    MD5

    381672863e94fa4d073d6538163bcf43

    SHA1

    03ba774ec392befba3c3751bca50cba48cfb92f5

    SHA256

    29babf98240634a4610349bf082388fa9da6ac86c56c6103a6abeb57481c4fa5

    SHA512

    6c36eafe19de678259a11af64c62a0f0ba334a5f36fcde131eb39da237e74ebf9597624023639481204d5aace5b67fdb2fa42d3dabfb57df3317adc582d60b59

  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

    Filesize

    525KB

    MD5

    2d514b2617e927386b4c8ad3a90be5aa

    SHA1

    ce3eb87f885b932c0549389e71d6bd854e5e6d6c

    SHA256

    b759905b2fe9dc2010031c53586d9b57afecbe79f259baedd150da52d237d3f3

    SHA512

    3285478a3283be50965043184daab853edaa65b51319bc620cd7b1bcbfb72d0958fff72965bd607d36deaf931c715372c4eda1ce9bf663606ecef9c70c3970b8

  • C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

    Filesize

    650KB

    MD5

    951f43e643678df43a5bc9910528b809

    SHA1

    47fad1e2e119c1b53d7fd3039aa9eed633d22549

    SHA256

    b7716b1ccad50896e4cb7cdeaae3afae11c01acde45fd2224fa073013c4c0f7c

    SHA512

    7f1aa8f36b64da95af5ede14c5036bf56e2706c5f1fcdcee755cf0b3e81df100f285dc216b53ef32bf0359263e5b82a518f08d6452aee60f30d9dbf6ee1bcbae

  • C:\Users\Admin\AppData\Local\Temp\3582-490\80b488ad8cbe9ad102171b5bb9f5f2437e1c4351cce0ae8278f1a0de8d4c0e5aN.exe

    Filesize

    3.1MB

    MD5

    578c2b1681e4dd266b131649bc439149

    SHA1

    92bfa1143f4723b2e2f4d263c85a548c805ca918

    SHA256

    a7456d542d182cef4555834499719829a993d6630baa6d2a157cfc9c05974fee

    SHA512

    07fdc5562d460394d832ff4e9ec22ad6636baadb1edbf3cd3296ed1472f646c956bb14cda59494cafb4f19d4f31647ab9aeed65c8403f0b3485527d62ef6055d

  • C:\Windows\svchost.com

    Filesize

    40KB

    MD5

    4fb70c0fd54720b342f64962fc337f3c

    SHA1

    bde0fd99c47e3dd15c54c8640bf4040a46ac20b2

    SHA256

    6fe9298a4d6d49a5dea8559d3defa958bca5cf00d23ae398614f76caeb35516c

    SHA512

    a5583652f4a8384cffcbe1dc9b863232c32c101e670d8c06e9ac3ea1877ee4d3a29f83c2f116e6c46d73be6695b7ddbaf678d96ea76142dfd29a586b6ef7f118

  • memory/212-141-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/212-135-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/212-145-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/212-137-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/212-139-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/212-143-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4000-138-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4000-142-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4000-140-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4000-136-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/4000-146-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB