neshta | e36a6e97ec26a7993619c3aa0ca81765933c9ffad1fd8677e37f6ee0dc94325a

Analysis

max time kernel
123s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1nk.exe
Size

6.9MB
MD5

a49d47a9588316ec6dd3b317cbe70e31
SHA1

199920cacbcf1b4b063c45020142246676c404aa
SHA256

e36a6e97ec26a7993619c3aa0ca81765933c9ffad1fd8677e37f6ee0dc94325a
SHA512

b6b2275038d42f1ad85b04bd0516325c833746ff7ca22a9fe610da724e414cb755286581ad011f6fd584a8997f9d769218b0b09cb840aa1176b0f929738d8699
SSDEEP

196608:+rgtoWli/FTuh6zQ4qWWIioElER//b+2+m+yh/:+kaFtZclER//VQy5

Score

10^/10

neshta discovery persistence spyware

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001939f-52.dat	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1nk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1nk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1nk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2264	1nk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2352	1nk.exe
2424	1nk.exe
2264	1nk.exe

C:\Users\Admin\AppData\Local\Temp\1nk.exe
"C:\Users\Admin\AppData\Local\Temp\1nk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2352

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\1nk.exe
"C:\Users\Admin\AppData\Local\Temp\1nk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2424

C:\Users\Admin\AppData\Local\Temp\1nk.exe
"C:\Users\Admin\AppData\Local\Temp\1nk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Music\Kport\KPortScan3.exe

Filesize
1.2MB

MD5
83afa4a2c4311654356eb1be826e3d58

SHA1
569525ef34890c0e43c66579ebfceecc6c700812

SHA256
fd08fa6f7dc2bb32a7d7f9184438da32a27d4bdf7bff82f2ad0944007676c0f1

SHA512
38a564c6e58252b79771696be170d4ad3a29ea7fb7460bb80a0f82f130fa62d9f4da4af75c595448287d4e024b65715d79b23c13855a2846bb1d5552db8bd77e

Download Submit
C:\Users\Admin\Music\Kport\QtCore4.dll

Filesize
2.4MB

MD5
438717377b9df0f53f283c9e4aa722cc

SHA1
c413917dfcb816799613c6f86b55952c887ff711

SHA256
a679cf46e128d028de22fb9ed8432e5107e53f8e7e6fb7f5e169b3eeab8f000a

SHA512
03c10588ec47bce9b6c40fedffcaa775b84bb691450789000c17e7df02554036ee336d382524b35bfa67dbc4ae4b95d3d1807d61f46016427856f60850383f3f

Download Submit
C:\Users\Admin\Music\Kport\QtGui4.dll

Filesize
8.0MB

MD5
37957facc9afbdfbd119c8372c9cf0e3

SHA1
1f5584ae75e947ffcbe00dc17bc423bf3f906ad0

SHA256
bf52fec00b4f640d07bea3850096cc77983fca518bbec8122997b7ca561205f1

SHA512
24ef6418f904b646d31912e0f350a0eb10147015bbd4b3710aba62c5a1da5d001600d9a381beb8d871d30cc0b07cf2fdb034f81f60810d8c14899cacdf68ad4d

Download Submit
C:\Users\Admin\Music\Kport\QtNetwork4.dll

Filesize
982KB

MD5
5c6afae60414546cef0a9b759da93912

SHA1
928aba35960a17b9ee3a3e2f2f890b8aa6842e6b

SHA256
99757ec661fd7de3b22fb641f25cf1565aae13daf8d31c6686c6c7cbd2be6fc9

SHA512
bbd7aae541c5677317f68472c4be008164909f6395c43e554c4b070fb398ec680f496505644de0a706f831bc850e770c60c699d5aa0d5a7e0e19c5fc48e5c727

Download Submit
C:\Users\Admin\Music\Kport\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\Music\dControl\dfControl.exe

Filesize
486KB

MD5
c3907fadfc8a2d670f49c92d1f6abf68

SHA1
19519ef98cdbd346741df6f4a2392afc2813308e

SHA256
4464c09d51abe61f5549af936c366c6cffd0e4d588420285f11cde424e6e8e58

SHA512
3302618f51d482f5452560cf15311a802bda6d845ce5abc80c6e3ed8c2afe0f7831ed48f22e1e58c9853d275d9bc32b071c5723a4fd03ec48083bc91f7326d77

Download Submit
C:\Users\Admin\Music\dControl\dfControl.ini

Filesize
79KB

MD5
68b8d43ddfd7502386fb1510e35096f6

SHA1
7878961f848b4e28af983137e4d0f52b9efe9d00

SHA256
69a0dc793736c5d75f0149eec0547b4a992a7d1f10413697481527b884ac01eb

SHA512
0c254fa4125305595a806f22796232dfd3b5a876711b74a23b6c7bf245ca9e7aaa21750d06a74334a12330ac58f4df7720efd3313aa74fdaa5d6623edaafa40f

Download Submit
C:\Users\Admin\Music\netscanold.exe

Filesize
1.5MB

MD5
bb7c575e798ff5243b5014777253635d

SHA1
2146f04728fe93c393a74331b76799ea8fe0269f

SHA256
572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b

SHA512
15e2dd2665cb99a246b193d81414ed530218aa02f016c154c65577715764fb95ea1d19ed663ca3e542c7a7826ec86f6632b25712ca1897507f9fabc9569f3195

Download Submit
C:\Users\Admin\Music\netscanold.xml

Filesize
57KB

MD5
67b11b22211df9c1dd0cdaae8a8794ad

SHA1
9838416051c433d2c47c95ca85db34399b1abd19

SHA256
6f88b7be4d0e59d7d1093d6dc6c3c16d6ec4f2a2814920a95c135feb582d503e

SHA512
cbdab9c38d964453e1e4536a88bc8ebaf612020b302ede97cab209e91d79cfdc0f87d6bbfb61e041f79a5dfede05dccc4e99fe8e90a34c023954c9b12b17a76a

Download Submit
C:\Users\Admin\Music\print scan.cmd

Filesize
28B

MD5
3ebe2dabba00956ad1301cf9ff1cb82a

SHA1
b6d26189099018dcc88461c0ea34192228a55e29

SHA256
acf8d6123ca34a7a69b8775c5d747340b0aca468bc807e16374340f6a2e5319e

SHA512
ed0b02f950dc3987956024cd67dcf778f93a637dcd04b54a2f42eced0091c7e55778072076c0c6b04e4632f10374b83b2f015c4c815293f16fe8a925f0e66197

Download Submit
C:\Users\Admin\Music\rdpclip.bat

Filesize
81B

MD5
cb4ed4562b5a19673412bec4a0e4a8d6

SHA1
e54946796b75fbfa74a6f76351f87b8fe888e473

SHA256
102ddf64ae5a6181dcfcebd6be62e78653a9812b80ebb948645aad9d0bf39526

SHA512
1f3a351d9efe33fab9442146791762df3a770b5b97ea7166902064d86c02a37c14b89336cfc779de4a8d67c7f5148dd8202073aface56ef18bd6122fc76f4376

Download Submit