Overview

overview

10

Static

static

3

fc6e2360ec...34.exe

windows7-x64

7

fc6e2360ec...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc6e2360ec42b0162ca6c115a87359ddb884735669a408df62d03a695554d934.exe

  • Size

    1.3MB

  • MD5

    54f49c2ad41ba4050cdda443c5d2c933

  • SHA1

    a1e467fb0356150a3883dc16ab4618467a9034cc

  • SHA256

    fc6e2360ec42b0162ca6c115a87359ddb884735669a408df62d03a695554d934

  • SHA512

    a1e101900c5a4e5ebba1d0c2ddb80e6ee3486fa43d389f53ec4aa1499b4debe6daafd218b981f22bba4dc80d845c2fcf0cf21ae16908950eab7f7004fb0fcb04

  • SSDEEP

    24576:cA7/6yeoGoMxQtDqIz46L7F8iICk14Tg7ncxRaFdfRwUmqt2LMf7PV56uESbxAq+:5zFBhewK7ZwNWjmqz2/

Score
10/10
neshtadiscoverypersistencespyware

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops startup file 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3508
      • C:\Users\Admin\AppData\Local\Temp\fc6e2360ec42b0162ca6c115a87359ddb884735669a408df62d03a695554d934.exe
        "C:\Users\Admin\AppData\Local\Temp\fc6e2360ec42b0162ca6c115a87359ddb884735669a408df62d03a695554d934.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops startup file
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4668
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
      Filesize

      86KB

      MD5

      a19e4a96ec5d5485b9574701f725b974

      SHA1

      9473682ece20859be37bd4e4217f47596fe305d7

      SHA256

      29d948687548a1374710fd24591ea81a5e3bcddf52b2a121c9627704f2f98e97

      SHA512

      73aabc378bd230e5383587ccbf9d1bb4d1e25f9880097d6204e8de5b4457e903ea5351bf10dddaa14c4650a4d91172495d8f5f06e63473f8bc43d1442db286e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\InstallUtil.exe
      Filesize

      40KB

      MD5

      7fe6fb5408992330ada9cd81be35c33b

      SHA1

      2f732ea754fa43dea05fdad5c821f008a92935e2

      SHA256

      8b53f3559183d6206e2573a0c3813141cad7621ee93a5241c622cf7c664d9aee

      SHA512

      630cd455c5c4367e7d4a423d78b69e8f8ca02aa16b2af65d7357420511a692b233c04dc5d8aaafe3eb477b57a37a3ed0ee5b807a66c6fbaa223ac0abd22176ec

      Download Submit

    • C:\Users\Admin\AppData\Roaming\DISALL~1.EXE
      Filesize

      1.3MB

      MD5

      8a49b858da9dd49e94e799ab6afaaf13

      SHA1

      0d5c7800aae44f25b7a453c143fa092c2d94419e

      SHA256

      fcb684dd4a98687d6a399d2829822a50c127c7e1c43a0c84163c9bcb7d272a0f

      SHA512

      3c895ac2861a21734bc641ba85cc87f1688de57dd7d64b96e4330cf9ae102be54419b842eeb84015539f3a8dc6ecce3886269b53e9e69f66baa8a493856cdaf1

      Download Submit

    • memory/3020-1202-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3020-1300-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/3020-1302-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/4668-38-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-5-0x0000000074A30000-0x00000000751E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4668-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4668-30-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-32-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-6-0x0000000005220000-0x000000000532E000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4668-44-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-60-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-70-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-68-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-66-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-64-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-62-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-58-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-56-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-54-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-52-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-50-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-48-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-46-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-42-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-40-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-1-0x0000000000400000-0x0000000000552000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4668-36-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-1203-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4668-2-0x0000000005500000-0x0000000005AA4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4668-4-0x0000000004E10000-0x0000000004E1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4668-28-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-26-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-24-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-22-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-20-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-18-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-16-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-14-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-12-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-10-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-8-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-7-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-1183-0x0000000074A30000-0x00000000751E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4668-1184-0x0000000005040000-0x00000000050BE000-memory.dmp

      Filesize

      504KB

      Download

    • memory/4668-1185-0x00000000050D0000-0x000000000511C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4668-1186-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4668-1187-0x0000000074A30000-0x00000000751E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4668-1188-0x0000000074A30000-0x00000000751E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4668-1189-0x0000000005390000-0x00000000053E4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4668-1195-0x0000000074A30000-0x00000000751E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4668-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4668-1204-0x0000000002B1C000-0x0000000002B1D000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4668-34-0x0000000005220000-0x0000000005328000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4668-1205-0x0000000074A30000-0x00000000751E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4668-1201-0x0000000074A30000-0x00000000751E0000-memory.dmp

      Filesize

      7.7MB

      Download