Overview

overview

10

Static

static

3

65eb79c58b...b9.exe

windows7-x64

10

65eb79c58b...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 23:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe

  • Size

    603KB

  • MD5

    9314f1ff84e2de4d7a3051a47c320761

  • SHA1

    e25f22c6897cf8badc1836cd088688b1ed602586

  • SHA256

    65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9

  • SHA512

    10f1394779afc25b66e4c16cc05d1242b7ebed756c0c957e5638915b6fbbb17b4297a1652a53d89fd1b04c7f1cd4f474c49aa118e97236288d00407e819becee

  • SSDEEP

    12288:/NHbufgD7qSdPBZ4SpLeLBLg12sgLkLORn3U07DzDCNEl2xdjta33q+Q0:/5Cfgas/LpLeLBDsgTG077CNElqjY33J

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 6 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Loads dropped DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
    "C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
      C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
      2⤵
        PID:2744
      • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
        C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
        2⤵
          PID:2776
        • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
          C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
          2⤵
            PID:2804
          • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
            C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
            2⤵
              PID:2740
            • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
              C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
              2⤵
                PID:2688
              • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
                C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
                2⤵
                  PID:2924
                • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
                  C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
                  2⤵
                    PID:2656
                  • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
                    C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
                    2⤵
                      PID:2664
                    • C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
                      C:\Users\Admin\AppData\Local\Temp\65eb79c58bfddacebc3d72fc220f5b4a9fbcebda917d5d55f7621dcf2f95b0b9.exe
                      2⤵
                      • Loads dropped DLL
                      • Modifies system executable filetype association
                      • Drops file in Program Files directory
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      PID:2396

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
                    Filesize

                    859KB

                    MD5

                    3c168a98d04b893f051be6a4637ff7d9

                    SHA1

                    3cd101e6ca638f70bf57e1e60baa1b1385b65252

                    SHA256

                    d687689c12616ecdbe2e378064e63e43f9a027cda0c1f137d3234b5f8587b913

                    SHA512

                    fa3ffb2c87a90f941f3c46b76b25048e83a0529d3a703b4bd91dc50f9a7a9cd95d23c3ce2b8b7e770c49801197cf85a7271583a22d3ed1bc462487eb17a3f0df

                    Download Submit

                  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
                    Filesize

                    252KB

                    MD5

                    9e2b9928c89a9d0da1d3e8f4bd96afa7

                    SHA1

                    ec66cda99f44b62470c6930e5afda061579cde35

                    SHA256

                    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                    SHA512

                    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

                    Download Submit

                  • memory/2096-0-0x0000000074B41000-0x0000000074B42000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2096-1-0x0000000074B40000-0x00000000750EB000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2096-2-0x0000000074B40000-0x00000000750EB000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2096-3-0x0000000074B40000-0x00000000750EB000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2096-4-0x0000000074B40000-0x00000000750EB000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2396-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2396-14-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-24-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-28-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-20-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-18-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-16-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-25-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-12-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-10-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-8-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-26-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-7-0x0000000000110000-0x000000000020A000-memory.dmp

                    Filesize

                    1000KB

                    Download

                  • memory/2396-108-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download

                  • memory/2396-110-0x0000000000400000-0x000000000041B000-memory.dmp

                    Filesize

                    108KB

                    Download