Analysis

  • max time kernel
    120s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 20:35

General

  • Target

    222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe

  • Size

    1.8MB

  • MD5

    b2a57829bf508d6bdc1f13035ee89e00

  • SHA1

    fc003983062a9ff565db96a746e97d7955307f25

  • SHA256

    222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d

  • SHA512

    ed267cdc479f5d7f7f36076c02c2a4417c121c79e80578a3bc64830c559a9a026c51de0505d05872bc39823354244d5ed82894c42acd86f1fb72d137661221ea

  • SSDEEP

    6144:k9k/uXEnYjMgrB9aQHzqEgRgeAOYs7Aptq2xcqC4S3O23dXZ:WWYowTqXWs7A22xc14S3O23n

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
    "C:\Users\Admin\AppData\Local\Temp\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://line.me/download
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a7cf94ce7e862dadcc681845c83db9bd

    SHA1

    083eeeb6d770bd8766836775126fb8eaa70642c7

    SHA256

    6ee4b4f30e077ecdfb7d51ff45b83033559235e8287a043f6b241b578533fdcf

    SHA512

    56d5bdd52c9bb3ee88e15e51e37e5a9ffed416dd23c7c05de88a9f8e398710a419c3b3219067408db5c319e0d943b35d1b9c7f912eb1368c5c2f2a1ef995c99f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d425a935f01bd7703a1185794f299935

    SHA1

    237b21a4de07eee4bd32cb928aaded7297bbbdaa

    SHA256

    9cf0b93e455a7fdb9a34f4bf712072d8f56efc4a39fc136ba72e474472cfb02f

    SHA512

    cfa7d02243176b5e998dbf48428b802b8a7a221b3e080d647bb26851c250470daa357830de58af1efe1b8b6649bae71ef56972612ef9e32319a590b5cd0a76fd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    76312fc81d23b8f0b3c7184410e8e392

    SHA1

    c1735b78ef000d29e8bb68848a6393a18ab4374d

    SHA256

    39139c66d2439e772982f6f5574bc791c2a55857533fbece510522630e68c7a2

    SHA512

    6c34b2cb57e37a704b32a14d9409053926e9795313fa4cae15fd5c26cc9bdc00fd60e13f13bab15a08e6897a1ac873175ab55a4ebf34ef05f0adaa46584d64bf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4e64a29f27a265e31a951799899c30b2

    SHA1

    fd05b25c81bb867bbcddfa86de1eb38663b6f280

    SHA256

    ac43b2fa24fcaeeb2ca3d63b56c59d87c6a461b3eddaec13d5ffcbd02335dd95

    SHA512

    eb9f605f8b44a3be2588b5aef673b6ed6a66e1be6248eec5d4ca560bd659879efde17bc8001e359e40df7c5c515ae2d68463d414abc1c3eb42f8a3c83f288d12

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9579b09a08a3b4adc76d801224636af7

    SHA1

    1f24c313a5307be63bc5daad0a660ddf7a7fafd0

    SHA256

    51ab83420acf2997c5df2aaa6f01b446e2a92216c9a8b8f2a03ecdd296de2204

    SHA512

    f9d781d0922e5ff8293678217dfdec711443e1db247b98d3a14502800b6a02f432dc0d71eeba3142eb07ed62a3b7d346eb637d69c9ff6da9a9595f5c4d5dfeab

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9e0763f3deea27007487b11746929202

    SHA1

    2115695698c507842935302c43f96efa608b583d

    SHA256

    f5d54d3f072a0df9f3c275d2e44006b242ce80aa5e7e12933e4147a9208eae9c

    SHA512

    b3a51e42f612f23b7a1cc45cdfef2211c359677786ea21544752b6e2efe1ec96f3a0681a91fd1080b5658efdbb34923f9e2644f546cc7ec463cf71bc663371ab

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ec0d32486e6e09bdeacaacfe5300db06

    SHA1

    ade6b28fdcd1092ef200065a927a0f65c07b2481

    SHA256

    2b6d902d5f518807094c071512f8d25fca83fd80f825e6deb5e1ad7f34153d33

    SHA512

    94afdf328cc50ba74c452baf8593ea75dd83267a9674c87ae57ec597f8c1c866b739c1aa9a47072e327a31ee2125a612c47a8fe669f997b92427b015dbd7bfde

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    aaabd09c00046728d7737634bd17d3b3

    SHA1

    d05f51c0f7adacdb09f9f96c8305f9a7436ec9df

    SHA256

    4c4b97fe52b7de4d7950bdb37dc7d68ab8994fbb3c3786cca0c39c0ce9557f12

    SHA512

    11db68450c676e49f868398ce3afded22a9af1621b3db2ce20dc07ddf041b86bcc0125ed643c4c796a5ad7a9ae41d757e9219baeb064cf4008ee95b7a12eefd7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    48492d6208add7dbfc07a2e1470539dd

    SHA1

    e32575915ab9ec91d2253cc1abdff6ee28789740

    SHA256

    835e2e1f40fb67fae714ce4a7d311500e48ba56a63f24ff65e0190c10fcb294a

    SHA512

    a2b6a33689337b418c1b656a195a599d0cef86e4db60bc0dcb073f3123e68ff40b399e87a8a48a180a93fb22d3e2e36c2fa441a57948191431089e83e5e2d73c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5ace463f255cf8a979301d5c97eb2dd4

    SHA1

    b714b0f03d759053aa07d90b62dbd4bb9583b898

    SHA256

    ed9da24587abb6840beeec5a627c64e36c89585ee66c4bb68b851c607e2d542f

    SHA512

    09b03faf5e82f52eda586cb28109531f6789883fe7ef53dda4d2a65078006be6ba597d2dba247fb9024a91d0dce6f7d7664971c6c71bfcd91fe7d4b2f53e1981

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0da9189c0205b6d7929cba3e287be74d

    SHA1

    29e760cc1cbb5e974af455a4670501102509a935

    SHA256

    c871147b51f312ec3fbfead1ec22b689199e71eb55d0cd82a20eda77e237fc4e

    SHA512

    6779260b2e201a1e732f20e2e3f24e28a09417eb6ed523128dc7e10cfe2c2fe4ea9e9bc02d41d154da58b3439518eed352413fd32d6b667fa2ed674051b92346

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    08b7da0e96c59f60b5fa9e21eb0b74f6

    SHA1

    5c5989882600f7a0c4344db815242fd15f1d1633

    SHA256

    a4d3ee56f148d2d1cb5cc0e73186e210d9e00fe02fdb88f6135f82c91ebeb16a

    SHA512

    1c9971fe9fb1c0c9ef1187aa1d708b34c32f5f3068cc8f2503ee8b4759fec5d7fff6d6f350c36ceea0c1a98fdcc6cd3f0b987dfdc0f021f87f108d047cfcf3ee

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    43ba6e385551dc3c172692bd6b1945e0

    SHA1

    24598462007107b461a69eed24df8563a88666db

    SHA256

    087d1235227981b99c8275b7eca0b53b3fc0b63c23b4e671710d9f43ef357b3f

    SHA512

    4702e1831b1a171f8d7f4438c6297ea2caf6627d53f414daeaec186ea35b01594b92ff5ba291797ae6de8b54d548b3086ff1332eef81c4efe0fdea74bfc1f496

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dfba65ff7d72e8973860d21aa431df78

    SHA1

    b8d3155fc73aeef2581d1db8f786814a4ab77602

    SHA256

    460c60b3978e514de8839c1f12d748632291c623f28e220d4c72c1ad85134cd3

    SHA512

    9469cc8f5e92ef5da78e575f4e638e768ca735f98262ad97d8ef9ec8b9235f732dbc38d27d7bc6356988c6806c814c80131b8a99dca36c1a3ce960504afaff71

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    377b1083bbb30d2a7a2a089566bd2e91

    SHA1

    5ff25bb2bb316a431a2db4c5fbafa46c0aa6dfec

    SHA256

    063816cff843b887438de8646c1c2f9ab0a16c7efbec0ae22cf435e364e2b5f3

    SHA512

    ffa207e6d7b710e2152d5669fd92294f1a2da7e10ccac19b7ef32f600743492b65dafe3bde1ee954c29276032b034008e85016c8cd6ef096ed19b61192afa0a4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d537866db60fd0d597be8ed2d1f7d39a

    SHA1

    3fcf4f07abe2d85ba51ebc3fe488f421e6b5dacc

    SHA256

    a2bb97176eb177374d5be85e5a0b659d6b882f1daeba53a513b1eab9e88411ac

    SHA512

    c58cb13f30ca94d79568987d7c2a3bfd44f55abcc136e080d66883d40a092780b94da692df3c3d8ef371788ab74688ebdf9f07836efb992eb1870d9589ce834a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    098f980d18493322e320746cf05f6d2d

    SHA1

    2cceb8b27fa557052bc3525ed905431172a58d9d

    SHA256

    9cc80fcf1b78131c5b5f08b2cde795a0048b0af1b27c3fb4dcf4e6421f95eda3

    SHA512

    56ebf7be7a3485e94f137dd900c7a1842cff0dad9b2daf6876aa6a011dfbbb94db906db932d8d2ea80b63a4b6702068b72728b8410fa24746f55e2951712580f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    01ed0649eafc2a1c84e818f889406c17

    SHA1

    0005bc3e822de130091d300ca15241e9b02fedb1

    SHA256

    76c0a746f21a0aab0dfb27123f0f4bd4b01d92f9538b461939c23d68b44140e0

    SHA512

    dc3ecc2041335db165a0c6cfc4463fd3d51673c04e378526159d726cb97e9da88ae521c42536dd4b48556f1d123fff2757b00a1fa1fc6c2ce24d0eef6c6e020e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3380484afed2ab9b833dbd31aef35af4

    SHA1

    b880ce515fe999ffc5f4b2fa9098d3c0ca0c8f97

    SHA256

    6584ee79c27525d15c2fb780299ce1360a9c1bace1211f950bf848ea5feef546

    SHA512

    d116d7e1d1c1ecc0b214818a5fc397e21fd32a67aa422a9f6650c97ffcad06fb6f9a30b52adbd65f59223a63e9054bf3e0ccc3557ff984585e4a58603bc7529f

  • C:\Users\Admin\AppData\Local\Temp\CabD9FD.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarDA6D.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe

    Filesize

    1.7MB

    MD5

    88b025628d6a11f175efc3e408f15bc7

    SHA1

    9052d13959414970d1101dc015373b2b6f3db491

    SHA256

    c989d724540a41e68eabd23badfb429d61745af88444e26fdd38a2f4ef64a8d6

    SHA512

    8f6caa9da491a40eb6c74f1d4addc82b6a169d4624375efc88a3dadbec3968a07017cd1e9d609a9c9023a5afb2994af59d41822e7a3539e1f5ba2512f9522f40

  • memory/2332-83-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2332-89-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB