Analysis

  • max time kernel
    121s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 20:42

General

  • Target

    222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe

  • Size

    1.8MB

  • MD5

    b2a57829bf508d6bdc1f13035ee89e00

  • SHA1

    fc003983062a9ff565db96a746e97d7955307f25

  • SHA256

    222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d

  • SHA512

    ed267cdc479f5d7f7f36076c02c2a4417c121c79e80578a3bc64830c559a9a026c51de0505d05872bc39823354244d5ed82894c42acd86f1fb72d137661221ea

  • SSDEEP

    6144:k9k/uXEnYjMgrB9aQHzqEgRgeAOYs7Aptq2xcqC4S3O23dXZ:WWYowTqXWs7A22xc14S3O23n

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
    "C:\Users\Admin\AppData\Local\Temp\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://line.me/download
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b35b2efcdbb524f5b277a5b8cdfd83d7

    SHA1

    49802b37a0bf13c56b442ab3e277a60c18367aca

    SHA256

    8b485030c4115d925f4d847ef730aa58e560229ac9cbf447a131226a9214c249

    SHA512

    2852d408cb4883165f902fb35bc860a5741798e857f1da94d8e7918f723b6b2c9c7876d10bc28d166d22461186d0c6b8317b97e20899d39ef7616e98b1b0bd94

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1289774d3ee35e9e1570db76c69b4a05

    SHA1

    12023e6604c2d0d796668cce2b24de8af89bb70c

    SHA256

    68158ee2dd8f02d77ac25e664fa3722d84add5bab619e47d10652ebd2d5e7486

    SHA512

    29da63f18ff369c3d0cac59f39dacb563987ee72017be00a127ee2676780fd28ec558ed1cd0f363d97e7a9994dee8573d31a8f5cddfbd2e4940fd78a8610f938

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    35b1a5810a4632d9fd5e4b6c2a43f25f

    SHA1

    7a791d97747e6f5c5c020785bba20b1c5ed8dc4d

    SHA256

    74cae1dbeeca4f60065b32195c9dff2ae0a57596831bce0a93e569644ef69c59

    SHA512

    ab057f2d5313df227052462b28932580e3056f0f42fee25d35ee60854a9e4a8eb0c84775904b93917201a25ea3debfe6888a69083906a4f981b6da035ebd2f51

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    78e85cda9594e93abf0b0e8a5e7b269f

    SHA1

    3591725d4e6c16acb3d958684811c0616afdfa2f

    SHA256

    efc337e96cca9623d65bd444d3c438d527182223d21a9ba57ce68a57ddf7de53

    SHA512

    dfa350daeb12c64db96603b504926e33efa65a5e7a31e3c2d65367339696301bba9a03a2447b78c6891bf688bd0d07cc63d000fabc1dd11d361c6b81c6043497

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ede2f4cfb028821e0d2eb79cee31b807

    SHA1

    47eece9bfceb5242b7e5a9accc45411b6c8992a6

    SHA256

    b17c02a4945d7dd96664fc2cab0a9e95cdcb4d5e3008263b25ca48dd3dbac3a4

    SHA512

    bf52d076fbfe376995a509af774ae6e683b623034358f03f5603bbe584c7eed81746e09bfa7b64c270d5c40fade945a91d473c131fcd7f2fb7534104bb9e0a66

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e7d7056e4481cd0a106ecac5fa50d45c

    SHA1

    76948701003f7c52aa6d3335005c6395a214e287

    SHA256

    c683adf29cd308f8fd5cf99a26d1004871e9f2b60708e0f7bb83ecbf7f90f384

    SHA512

    0a668702ed474b7729aa5ec4995ca11af079172a733c191a66efb777668df850d499305f7e0e59d4c0a161b2b892dc706913aa66a808ef8dbb848c613186c9ab

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7ce69feae30761a8f21c514863606072

    SHA1

    aa3b1a134e29e7ff26fa1e7d8650fc9337dc2990

    SHA256

    1da5f76d2e9b197cc5dc62138886a35c617550790a4c1dab2fc9e5158d0f9c74

    SHA512

    f54ab6fc68309f1e6cc2fb851a686d65013b559375f1167b3426b7d1099df21cccecb78049a54b160978a06b55fa98043c1875e7143d9447e0caa09d6370876d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9df2d1f326dcfa179c2915a6ecb2879f

    SHA1

    92fa15e22f872c189dfe07e57c166b8527686d6f

    SHA256

    58739f45f41c2d8143caa933c317e7f361ea4fe6c2bff946a7153706fcf1828b

    SHA512

    0d695312e4aa82a76e911d0f378f2797c33670df2ebe87ed705acebca028c0c6400f48a6528ab3d3b47b81f9b6d30035baa3ce3d6891928616cd308a1ea7ace1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    71589ba713c0663263fb0ecd2dcfde50

    SHA1

    34d91a8a196320aa2fdc9601b81711d49e870a51

    SHA256

    9c2efbffd25ff3ebdcb0b9243cd4e5219e0b20b1e74ee70146e8f232c7d6a209

    SHA512

    440948f1fda17a62186d7a5a60f8a8370dd239d80fc2b093f3b7d692203aad9caa59d247a63e972ded4e078cac5eaf1e9c6c32d3ce4cb0aa85749829c0fdd44d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2e28b3dd9a52a80d744a7c246fffd029

    SHA1

    24f4db82cd6ffe500d9fc9abc1b3431735b2c4a4

    SHA256

    008e88aa2f266f64fb79d14d7fb7934d893d7fecc7062aba6c040a658a2de63f

    SHA512

    078437c8d991d55f2150d5d496441a017acad1e469e4351adc2b2c0585b7b5f3c5d74cd4da5251fbd9ce02e0e03a6afb98e7c7c7d370eb4d8142612592c6eb9c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2a8c6d7e25e38baead339f7d32406de1

    SHA1

    3cb5c81b160d76a606140eaef8812c7f7ff82cb1

    SHA256

    b4db350799d60c98bd73a4a80cd9b29911e1298c0c8802a231b52b6539055c96

    SHA512

    cf10c917f8adb29d146e668d605c65195afefc47d91cf6b029b3f8f6cce4c486b0b123b16e06acefb92d3e3020ed2a967be0225b985a253b3997126937167592

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    28ea027a699bee22b6b143710e7335ee

    SHA1

    5bf8346a09f3136f745def83d2a0cea9700c663c

    SHA256

    658bd8f38fc8838879d357c387abfd21685155c28bfcbb212a0cd259ecc4b0be

    SHA512

    eb9436840974f1a0b0e37c7a4ee712412ca5b042d566b0733dee05567827c14091be4378d0f57c3ab812254512bca0e68b0546eb0d1fe7fa31d340ad97b4048a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3d4c933f424a1942fb01cdf958a7aaf2

    SHA1

    f12b56265564d42bb4172aeecaaa4a21aca15fb5

    SHA256

    4b5c88e5cbcd6807d449e05772d34b224c35c7c76524cc725160c73573ba4e95

    SHA512

    db66668193bdb2e889d11b6089ca68327123238621d0607d00c8c38f10744dfeba50e58f64dd3cc03aef45ff7bc6ca452a70a731cc9627bb994414f9a58d9459

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b38cf4f26d9c7f22245f8e0006da999e

    SHA1

    bf8195a0a2af4bf264067d8d86c3a80c7346f181

    SHA256

    a67bc1b533bc8a5affa7584e85ed7434a5673bd657029ebc42039685fa64ab19

    SHA512

    ef9d9727fe6a191a8ba0cc1e98581c7c219ab5cef40254f1e8fc60309b968df134c7cba482bfdb064d9b5fb37d9a26ab0a81114f906b40d11acf7a599e1eff14

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c9fe14e3bbdd355ad908a4efc8d19a05

    SHA1

    9292bff260485533ffec6137059a4e53a37cb8fa

    SHA256

    3b944e019d9ac8ce191b65a1f61c8ecb8f796fa096fae96d0887d915b1473006

    SHA512

    d096a9c98d73e4ebd42ec527ab0167e2ec59e3c518c1631b2f695323a87fb6790be46285aa7d9631d6707cd4a6d328cd4b3bbddd055b465338e93c08c05e3b25

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6fce219bc41bac2f1242e6d1973f9851

    SHA1

    e974bca9751c94b5f5e3c3ac4b5599b5f9d00793

    SHA256

    b58c03b31ea6b8c7781afcfdbceaa67cc1bea801f9f5ca9b3aa8733a74982921

    SHA512

    1f9e0ea8a375244d5ecd4b0eb7ef7a1b79f5dc3b3d68b1a2adb185f22bd0834f1ea65694300fbfce1c2378a896de31b9fcd7bd1d693d040a04cb17ea954c91ab

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    059055684e15e30f896333be18a7ae27

    SHA1

    2057c81dc540bf2abea5950fd5a2cae4d3a84b2f

    SHA256

    4cca7a409c9c49985dfa38ab72a3b46cd2a9be7fe1f0d74bd014c4d7348f6c62

    SHA512

    ec4c7de5d27fbf9244f1ca5028f0a96198d268f678db01e711d6fca66df82a1b3639b97623b0e0427fe5bb3cf273d40e7617fcc925008e7cde8d5eb0133b6ccc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    49b4e1d564f83216a99aa1f152157eb6

    SHA1

    e6026bdd4ece76315cc17aced5dfd674aac85a0b

    SHA256

    a1911940e84e93040a33808dfc3860f8709862a1e5cb408c0332499b415a9449

    SHA512

    2faec54a840c5eb2c8d51b174adc024cbf2b9781cc42320d11b9cd71458a208c7c373739e5bc9749f40653c2dfc413321ab37c2f72ccc21289152e3c6a065feb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    285f7d01388a74be115a9c9cee7caf06

    SHA1

    20417147acf437d81c46fd8aeb49cacff8de0e71

    SHA256

    85d9a2bca19d873b823020e6c0cfd4554572a91f70fc9bd3e6ba967848325dc2

    SHA512

    c14edaa51858da9b410640ef0d78851fab3a7970d147275d1f50d8cf7420cc6b186058979fb54f21c41236b81573cc1002fdc43d3e63ba377921185bc43ea0d3

  • C:\Users\Admin\AppData\Local\Temp\Cab545A.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar5509.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

  • \Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe

    Filesize

    1.7MB

    MD5

    88b025628d6a11f175efc3e408f15bc7

    SHA1

    9052d13959414970d1101dc015373b2b6f3db491

    SHA256

    c989d724540a41e68eabd23badfb429d61745af88444e26fdd38a2f4ef64a8d6

    SHA512

    8f6caa9da491a40eb6c74f1d4addc82b6a169d4624375efc88a3dadbec3968a07017cd1e9d609a9c9023a5afb2994af59d41822e7a3539e1f5ba2512f9522f40

  • memory/2400-83-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2400-89-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB