Overview

overview

10

Static

static

10

GrayWolf.exe

windows7-x64

10

GrayWolf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GrayWolf.exe

  • Size

    5.4MB

  • MD5

    fc880e4806da9ef322b4918ad89880bd

  • SHA1

    a359064fce75722488038c4316deb7354cef87b5

  • SHA256

    608e5234a2745f72909b5e002176149df66e39c36217fcc4826f13dba9e0153e

  • SHA512

    ea43f38145b4493a0a2ed5a7fa6997dd86573530a479e7593928629f74106430e2e45ee15e156f6f3c648d164d909db0591fb0407034037e79d3175b146471da

  • SSDEEP

    49152:DF/5OwXqsw+mw6j4w6SAZplWz3SUcSUWrXxRyJQfSqF6kr3Az0L:D/B0rQgCUcSUWOv98JL

Score
10/10
neshtaagilenetdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 6 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Obfuscated with Agile.Net obfuscator 3 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 21 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GrayWolf.exe
    "C:\Users\Admin\AppData\Local\Temp\GrayWolf.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Users\Admin\AppData\Local\Temp\3582-490\GrayWolf.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\GrayWolf.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    Filesize

    1.6MB

    MD5

    3a3a71a5df2d162555fcda9bc0993d74

    SHA1

    95c7400f85325eba9b0a92abd80ea64b76917a1a

    SHA256

    0a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8

    SHA512

    9ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\GrayWolf.exe
    Filesize

    5.4MB

    MD5

    02a88d03242515576fa54218538e34fa

    SHA1

    ed6f90fcbf9fabf0da167987e1c2647833df5d6e

    SHA256

    533afe3493caae3a36d03f7766aeeec4de9f682a76d73b8098f975daacf48c0b

    SHA512

    b9b0a03500e5ef66569dc42b07c5da6c186660989403bafd9f8511303add0622f8a9f670f73dffa3ddd8fe044b82c4e26a4ad6ae6e1aa0898c72b3ef671e09d5

    Download Submit

  • memory/4060-130-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4060-135-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4060-137-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4060-140-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4272-24-0x0000000000DE0000-0x0000000000E0E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4272-20-0x0000000000D80000-0x0000000000D90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4272-15-0x0000000000D50000-0x0000000000D58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4272-14-0x0000000000D40000-0x0000000000D48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4272-25-0x0000000000E10000-0x0000000000E28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4272-32-0x000000001B260000-0x000000001B268000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4272-34-0x000000001B2C0000-0x000000001B358000-memory.dmp

    Filesize

    608KB

    Download

  • memory/4272-38-0x000000001B5D0000-0x000000001B5DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4272-37-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4272-36-0x000000001B5B0000-0x000000001B5B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4272-35-0x000000001B360000-0x000000001B3AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4272-33-0x000000001B270000-0x000000001B2BA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/4272-31-0x000000001B1F0000-0x000000001B258000-memory.dmp

    Filesize

    416KB

    Download

  • memory/4272-30-0x000000001B1E0000-0x000000001B1EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4272-42-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4272-29-0x000000001B1D0000-0x000000001B1DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4272-28-0x0000000000E40000-0x0000000000E48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4272-27-0x0000000000E30000-0x0000000000E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4272-26-0x00000000027B0000-0x00000000027E4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4272-13-0x0000000000040000-0x00000000005A6000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/4272-23-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4272-22-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4272-21-0x0000000000D90000-0x0000000000D9C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4272-16-0x0000000000D60000-0x0000000000D76000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4272-19-0x0000000000D70000-0x0000000000D80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4272-18-0x0000000002700000-0x00000000027B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4272-17-0x000000001B3C0000-0x000000001B5A6000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4272-54-0x000000001CD30000-0x000000001CD4C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4272-98-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4272-110-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4272-111-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4272-127-0x00007FFD651D3000-0x00007FFD651D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4272-128-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4272-129-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4272-131-0x000000001B7F0000-0x000000001B999000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4272-132-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4272-133-0x00007FFD651D0000-0x00007FFD65C91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4272-136-0x000000001B7F0000-0x000000001B999000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4272-138-0x000000001B7F0000-0x000000001B999000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4272-12-0x00007FFD651D3000-0x00007FFD651D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4272-141-0x000000001B7F0000-0x000000001B999000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4272-142-0x000000001B7F0000-0x000000001B999000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4272-144-0x000000001B7F0000-0x000000001B999000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4272-145-0x000000001B7F0000-0x000000001B999000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4272-146-0x000000001B7F0000-0x000000001B999000-memory.dmp

    Filesize

    1.7MB

    Download