Overview

overview

10

Static

static

10

massexe/Ma...UI.exe

windows10-ltsc 2021-x64

10

massexe/Packet.dll

windows10-ltsc 2021-x64

3

massexe/masscan.exe

windows10-ltsc 2021-x64

10

massexe/msvcr100.dll

windows10-ltsc 2021-x64

3

massexe/wi...13.exe

windows10-ltsc 2021-x64

10

massexe/wpcap.dll

windows10-ltsc 2021-x64

3

Analysis

  • max time kernel
    430s
  • max time network
    1153s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-12-2024 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    massexe/winpcap-4.13.exe

  • Size

    464KB

  • MD5

    ce5cf0bb6b5d6da269289007b17652e3

  • SHA1

    9d81fd8d4b20dc7d68e6783ff872ff577dbebd2c

  • SHA256

    4ac6a84eda7b4b474f00118733da6e7f33c35f009a554a6f78d4464cb7101192

  • SHA512

    c503821a71ef2e4861d6009fa48a1b69ff88e8bfc6ff2244f652e2dca60004c80e4cc6b1cb22f67ccd43a26dc037d1c7fcce1ff031ecc16820dbc96675857d77

  • SSDEEP

    6144:k9X3dmkMIdQQkpxYLcP+k471Xr4bjMxiW+D/xqfF3o2KCzDunki8m/VlidXTj2EF:W34kDdc8L4bQA5qt3CxnkLwlQFPcOLsk

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\massexe\winpcap-4.13.exe
    "C:\Users\Admin\AppData\Local\Temp\massexe\winpcap-4.13.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Users\Admin\AppData\Local\Temp\3582-490\winpcap-4.13.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\winpcap-4.13.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Windows\SysWOW64\net.exe
        net stop npf
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop npf
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_40093\javaw.exe
    Filesize

    325KB

    MD5

    892cf4fc5398e07bf652c50ef2aa3b88

    SHA1

    c399e55756b23938057a0ecae597bd9dbe481866

    SHA256

    e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

    SHA512

    f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\winpcap-4.13.exe
    Filesize

    423KB

    MD5

    ae26452c8b3d97ef2037521ac0dd3a8b

    SHA1

    3ad99ec2bf6cc4f947bb09be627c91f82a898aa8

    SHA256

    f28156a96be558dfb83a3d935223a127816ad124b94f92c499400c38078ad842

    SHA512

    f5012a9600542b46eca137f41d58d6a6d3071aa36ca2b4c0f0119639cdf051c0a0e597c674583c4ec5753f8368ca121282acbf084930d2b1f30671f2032448d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsvA1DF.tmp\InstallOptions.dll
    Filesize

    14KB

    MD5

    79327201915b7cf3ba0c5d1a143aa925

    SHA1

    185b6f5520b1c39d3e7d9d91ed099698fac46d92

    SHA256

    1edf8dc7b6ef67e7cf68f6b07f38be5b336b5e6b2d1d5500cdb3e121b8381394

    SHA512

    c51086b7e039c83abb727a33b7f1ccac4fa999373b0423ac4b253e87195a5515d29e98ea2ed64f30406a14db4bf94422d34e6c9db8fc80be5c4e3fc77fd0207e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsvA1DF.tmp\System.dll
    Filesize

    10KB

    MD5

    5c22bbf6730572e50eed4108af6081df

    SHA1

    8a13196f4d47ee7de2e35509058db954db10c72a

    SHA256

    3198d832c222a9907d3d5822116c944fd1c6670a263b775212104a9ecf88beec

    SHA512

    264b194a50cb523f5758569d918b5f60cb2959c4d091ae6712efc95644700a7bc2bb440a22acdf2285b754691a9cc04633fcc7c5b354dae75c7260d6b27ebb18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsvA1DF.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    6d376db8c870c88759ab0fac0f91bde4

    SHA1

    c1df9264442c84858735550af99c1af55204dc31

    SHA256

    7994b5dbbd63253b8e11ee5d4aa34c61852d5f86a9c4a35ef421de2c26c80cd9

    SHA512

    ed37d2b97e44c5f2e3bb63dcae3b7eafff0a00ea6d315b6764b322d4dd68ec5d3f9c8a5b8e23cf585612c8b6fdd5bd6eb03e13237c445f990eca86a59579fd23

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsvA1DF.tmp\options.ini
    Filesize

    320B

    MD5

    5481254bb23f8ea72e294359dbfa251d

    SHA1

    e19658c820bd36c35c651308579a651b543e1341

    SHA256

    d5974fd21ee50bf9561bfa105483c46febca7f6a864bb3aeb1a4f8f4cbd3cf9d

    SHA512

    b15527706cdbc6d5fd2c023bfc55958efc4369bcacfe8c9cafe38dccd636d5c834aa0a6518e5be46b56780eb8c9ff6157b3021ff55825d6b18a39d694d28b584

    Download Submit

  • memory/2768-106-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2768-156-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2768-157-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2768-159-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download