Overview

overview

10

Static

static

3

840defe8e9...7N.exe

windows7-x64

10

840defe8e9...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2024, 00:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe

  • Size

    648KB

  • MD5

    55b4ec853390f6e8f0fb4e950aca3640

  • SHA1

    d3a60e1c200257d505dcb8b288c7ab8b7fab5e43

  • SHA256

    840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7

  • SHA512

    289b4e9b9fb011850dc89d4904db0ad2687d95b68b4d63956b7a73570d2b372ef963fd397fc78fa587843540009406fb3dabd41980d8cb77fa9b09aae6123dd9

  • SSDEEP

    12288:DEsd9PZfePv3xl7ft7V+6uC+zd5qLlE03wBf5qUKODnmbCtL:D39PZfePv3r7fm6t+jqpb3A5qfOA4L

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe
    "C:\Users\Admin\AppData\Local\Temp\840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\3582-490\840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\Temp\{4351BF41-93F5-4999-BC41-65D624393B6F}\.cr\840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe
        "C:\Windows\Temp\{4351BF41-93F5-4999-BC41-65D624393B6F}\.cr\840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\3582-490\840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe" -burn.filehandle.attached=288 -burn.filehandle.self=292
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2188

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
          Filesize

          547KB

          MD5

          d30b36247185a670852f45098eb9a8e6

          SHA1

          f37447d3b870174444e0834bd13629fc9804e6f2

          SHA256

          e57de7cf83c9f5dc4810d748b3907f65f2909eb6391c140ed0b049c452f7d270

          SHA512

          d1100b0403e95b035e66841db8a64a710a5f7f1b984f51089259468a21ef7696d65e7a3e84b2f774b000c8016eead784810b336455fc9cd7b6663ebf9abb433b

          Download Submit

        • C:\Windows\Temp\{2EB615D3-5D2B-45DD-AF74-C00CC9FE1B45}\.ba\bg.png
          Filesize

          4KB

          MD5

          9eb0320dfbf2bd541e6a55c01ddc9f20

          SHA1

          eb282a66d29594346531b1ff886d455e1dcd6d99

          SHA256

          9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

          SHA512

          9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

          Download Submit

        • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
          Filesize

          252KB

          MD5

          9e2b9928c89a9d0da1d3e8f4bd96afa7

          SHA1

          ec66cda99f44b62470c6930e5afda061579cde35

          SHA256

          8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

          SHA512

          2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

          Download Submit

        • \Users\Admin\AppData\Local\Temp\3582-490\840defe8e9b6508017a2ff6a571effbbb69a853b0229bb8abd96a6358d0c38f7N.exe
          Filesize

          608KB

          MD5

          d73468bae3dee29164dd9f7fb0ed49cd

          SHA1

          a1eb8fbe9916008d3948ec64b407600b40cc958c

          SHA256

          9b8b7390579a87b3f6a1370a31c92ebdcbbf0d43a4007ee6f66f3c1887681b15

          SHA512

          05c74c09489ac104b9c8e35e339561a0c09687f1b57caceea23c4dc4d199f9bc2e3941e9530a0b8ce0d9ed131892d86a48dbefce6841748d110f2745ac3341c7

          Download Submit

        • \Windows\Temp\{2EB615D3-5D2B-45DD-AF74-C00CC9FE1B45}\.ba\wixstdba.dll
          Filesize

          190KB

          MD5

          f1919c6bd85d7a78a70c228a5b227fbe

          SHA1

          71647ebf4e7bed3bc1663d520419ac550fe630ff

          SHA256

          dcea15f3710822ffc262e62ec04cc7bbbf0f33f5d1a853609fbfb65cb6a45640

          SHA512

          c7ff9b19c9bf320454a240c6abbc382950176a6befce05ea73150eeb0085d0b6ed5b65b2dcb4b04621ef9cca1d5c4e59c6682b9c85d1d5845e5ce3e5eedfd2eb

          Download Submit

        • memory/2332-148-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2332-171-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download