Overview

overview

10

Static

static

10

re.exe

windows7-x64

10

re.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    re.exe

  • Size

    7.0MB

  • MD5

    2f257ead7f42df4e9115ddab552e77e4

  • SHA1

    84e1e63ea102e3f50b6f87e396e53df8ef6e20d5

  • SHA256

    8b2a368965731bd3eeda7fb5e4998e367c24ef7ae71c50394363a9448373ce15

  • SHA512

    336246379fb20f818e1de05276c7954249130d478a6ab252748ee3ee9ea88265bf7438415f594819e78b0dec61deb92d2742dbc9ecda269cabbdd2c1995b498d

  • SSDEEP

    196608:OXzvm6eIrZ3K3xnLZGTIB4M+IFQyXI5qF:z1I130xgxIFQyXGC

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\re.exe
    "C:\Users\Admin\AppData\Local\Temp\re.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\3582-490\re.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\re.exe"
      2⤵
      • Executes dropped EXE
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
    Filesize

    547KB

    MD5

    e0f2257e0ad4b04429c932673ead4884

    SHA1

    352fcc1fe1019cd069ab52b409b31bbd0a08ea9a

    SHA256

    6e11a49479c1d2b35f15901b0700e307712338f343e1c03fcfe715946fab5969

    SHA512

    d77e790e63b1b2307df2ef0bb774bcbfa5cdc716764050dfa055a23449cffa5c6f61759b0819712f3e3be06037cbc3469082ba2b02af990017f28658f0103763

    Download Submit

  • C:\PROGRA~3\JWRAPP~1\JWRAPP~1\SESSIO~1.EXE
    Filesize

    152KB

    MD5

    9db096e73f66bbb3a58c1cb6cb534553

    SHA1

    55e478649dc97f2a152e27a4399d14f0bc003d42

    SHA256

    80a41cd9c74869d85e70aedc15ae6f295fdcd656db021a5f79a1f76898866e71

    SHA512

    2ddf7b8a9d53b0dc65eae236d1b67d5ac9dcdf7a9db242b7e1fc819230a51272a48dede3c536c04a33008b3c1b6e625aa0ebbcef73acc90da10c27a49ab089b7

    Download Submit

  • C:\PROGRA~3\JWRAPP~1\JWRAPP~1\SIMPLE~1.EXE
    Filesize

    246KB

    MD5

    259e2a281c02b64962564bbecedbdf19

    SHA1

    548d0ee5e04c9dfaed8921339e592da0336d0abb

    SHA256

    5c5d11aa62e90e286464b4fbad5401af8d348926fee6811561f1d979a8f634b3

    SHA512

    d893e0f191e0447c6f5d41b62d786ce0f7a7340c8a35daf60be94b2a4451cc382b60eb4131f802ff885354b272492e01a8459502ad483a6b79424bfc9a37179a

    Download Submit

  • C:\PROGRA~3\JWRAPP~1\JWRAPP~1\elev_win.exe
    Filesize

    238KB

    MD5

    7e2f6d98a5349a22e5be11b83cf9c696

    SHA1

    23f4c25510b3272a7a9e18233609f6d55dceb8ca

    SHA256

    5b87ca45360d5bc75374312769b6120b4bcd9666ff00e05cbe980e7298b1baec

    SHA512

    4fbac0edb3c886045c6c98c6551affefacb1fe6f4251fae157108e853c5cc94676c78134c551114cee34d61c2de7332af58d20ef037084b8a201e27315256519

    Download Submit

  • C:\ProgramData\JWrapper-Remote Access\JWrapper-JWrapper-00095171916-complete\nativesplash.png
    Filesize

    8KB

    MD5

    08051133e368d61036576d3ed5b9cc14

    SHA1

    817e7a73eb33ab39e3c4d8c99a00c9d05c64f5c5

    SHA256

    5ac80b373a7de315cc803eea0fc640335369df062de52b53c2a4175af2c0a2a7

    SHA512

    93400dc7b885e2f51942ccba11ed7f1ebc82b9d726aa3b5c11ea118bfa93d20594243449ce37195cf72387064514c01d0d2d38776d7d049e148050edf873b7ce

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\re.exe
    Filesize

    7.0MB

    MD5

    25b6f3f4b13bc53dd4981915cdd95e33

    SHA1

    d45348d67a362c46cd2cd3c2fa1e8e5a32721f34

    SHA256

    75ef7f52bd7ca4b2ebea210f96586c486b4e635cda01d0a7d9fc461210ed0cc1

    SHA512

    47d5d612cbe9c87645aa0887c58df7ef51a676c3115601366dd8a6fbf9989beb75b1b279bb8f8b3e67eef20d3960a7177cbbb558eca93fff2d7ed6b47c4076c0

    Download Submit

  • memory/1904-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1904-118-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1904-119-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1904-122-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download