Overview

overview

10

Static

static

10

2025-01-04...ok.exe

windows7-x64

10

2025-01-04...ok.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-04_877cec8193a067605a4ae8193cd6512c_neshta_rook.exe

  • Size

    154KB

  • MD5

    877cec8193a067605a4ae8193cd6512c

  • SHA1

    3a2b2fa4fa4ca05b909bb465f8623c8674aee5aa

  • SHA256

    625e5d6d49f078375b719b5baacda269d68986af78f2e8110028787d805068b7

  • SHA512

    a5c9ebb9c583494ecf493e5bf5cfda919e7e3b04b285ef90b62e07e475f907c2a6ffed81e2f80c67fd274d8699fe8c3610eee8b2ef70f81e802ab4310ecc5aee

  • SSDEEP

    3072:sr85CAffhavIWqQlTskRTeNpbt64NUsHzqaB7SJLmwvjSQnf:k9ofDWqQlTs+KNfvUsHzYJL9jSQnf

Score
10/10
neshtadiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-04_877cec8193a067605a4ae8193cd6512c_neshta_rook.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-04_877cec8193a067605a4ae8193cd6512c_neshta_rook.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2025-01-04_877cec8193a067605a4ae8193cd6512c_neshta_rook.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2025-01-04_877cec8193a067605a4ae8193cd6512c_neshta_rook.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Users\Admin\AppData\Local\Temp\3582-490\2025-01-04_877cec8193a067605a4ae8193cd6512c_neshta_rook.exe
        DDEServer
        3⤵
        • Executes dropped EXE
        PID:2000
      • C:\Users\Admin\AppData\Local\Temp\3582-490\2025-01-04_877cec8193a067605a4ae8193cd6512c_neshta_rook.exe
        DDEClient
        3⤵
        • Executes dropped EXE
        PID:2620
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
    Filesize

    547KB

    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\2025-01-04_877cec8193a067605a4ae8193cd6512c_neshta_rook.exe
    Filesize

    114KB

    MD5

    c5bc26c810d61e972e0a45f514c743cd

    SHA1

    184e81694b1bd060c66c40cfd1687b82ca39777e

    SHA256

    8411c7b4b1de7d664767934512688acc949156b6cba26060e316ea788904a391

    SHA512

    762ac410d549347dfa9fc44cf88357c83bf3bf1e25750e7f31fb8fe050622b7b15db8642704d4d33543ee3c29e85fafbe84c4fadb60d5a0a1043cbc9de974527

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
    Filesize

    8B

    MD5

    353dc1432b843f2e52d27b9c9a36297b

    SHA1

    c7621d9416ba47fab97d3fe4c185a1bdc8575f57

    SHA256

    0c7d167d5d31783731b5d663de04a626d18fa7ae7fd0d4e560f2c617255581fd

    SHA512

    627753d349c6b657e28106aaf5f2d75440502f3467d4414b90eadec50a0f4f51e0ec624cff08c300e3f1c844ce09a8594c8969c2e0cbfd9e59b8d57bc91b3f7f

    Download Submit

  • C:\Windows\svchost.com
    Filesize

    40KB

    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • memory/1028-113-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1728-103-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1728-99-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1728-93-0x0000000002D90000-0x0000000002DD6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1728-6-0x0000000002D90000-0x0000000002DD6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2000-95-0x000000013FEA0000-0x000000013FEE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2000-92-0x0000000077A53000-0x0000000077A54000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2620-97-0x000000013FEA0000-0x000000013FEE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3048-98-0x00000000000F0000-0x0000000000136000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3048-100-0x000000013FEA0000-0x000000013FEE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3048-91-0x00000000000F0000-0x0000000000136000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3048-15-0x00000000000F0000-0x0000000000136000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3048-107-0x000000013FEA0000-0x000000013FEE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3048-94-0x000000013FEA0000-0x000000013FEE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3048-7-0x000000013FEA0000-0x000000013FEE6000-memory.dmp

    Filesize

    280KB

    Download