Overview

overview

10

Static

static

10

98324ed826...fN.exe

windows7-x64

10

98324ed826...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    89s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 23:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe

  • Size

    199KB

  • MD5

    217e41f6c25d038647a7442444f73ac0

  • SHA1

    6296791ef6ed5b2a0ef18f2a0af986f9596939ee

  • SHA256

    98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572f

  • SHA512

    b1cfb43fa8db915b9b4be3a682e6870d3321ff808ca33e45ae57042e3ca200f4307d601c199e41b8a9cb0e0bcd969f5b5d35842403330e861366f0081aebf4d4

  • SSDEEP

    3072:7r8uCJwMEHdNOy+eP/rM71eYQUXlqBRfpj46MQCcA5Cf0Gy4i8qQtHSUgmQ:3CJXAkp2r+QUXWS6MXi10KQ

Score
10/10
neshtasalitybackdoordiscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

  • Detect Neshta payload 10 IoCs
  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1040
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
        PID:1064
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1128
          • C:\Users\Admin\AppData\Local\Temp\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
            "C:\Users\Admin\AppData\Local\Temp\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Loads dropped DLL
            • Modifies system executable filetype association
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2988
            • C:\Users\Admin\AppData\Local\Temp\3582-490\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
              "C:\Users\Admin\AppData\Local\Temp\3582-490\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe"
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Disables RegEdit via registry modification
              • Deletes itself
              • Executes dropped EXE
              • Windows security modification
              • Checks whether UAC is enabled
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2704
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:2004

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          4
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Disable or Modify Tools

          3
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCACHE\ALL USERS\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
            Filesize

            262KB

            MD5

            f1f9e02909121e6143fadc23b0048f4f

            SHA1

            d6508319ba4bf374c486f3df9d034f31f53c10d5

            SHA256

            3e0ba3faf35b77cc8b90e640ff5ec1c4ce2738c651b277e04030a5fca71a646d

            SHA512

            df9f3695f23e129ece0008e9f47c9848ab89f0cb36cd0dd943f5e0c90a624bc8e73ccd05f72444533b4fd00a8e1703d93673b0b480d67a903cbee6406314ea77

            Download Submit

          • C:\MSOCACHE\ALL USERS\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
            Filesize

            1.2MB

            MD5

            5e32d30a06ce3561a073449c9b2ac4f8

            SHA1

            96486abffb5f671d5d433c2aa15fd8ce498e3fbb

            SHA256

            70d46ac4c760beb38f07d42724799473f7d064ea6272861128644286ab12c493

            SHA512

            0f7f5425b11f285dc1f7ea5acc51245845075da954cfed92e117a1633b38b8dca9aee0247755c40213d3120ab298fc81dda918b87411dcfa3222664046edc131

            Download Submit

          • C:\MSOCACHE\ALL USERS\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
            Filesize

            939KB

            MD5

            e02c3d90a294f1e122b72cdb693bff97

            SHA1

            c948ff1a35fdfce537fb29b02fb2ee3ea4a8665c

            SHA256

            1582b4035a6b28564874c5b65e37c5be965bcf8055ebd2f27faab280240999ac

            SHA512

            fc700ece59aafad147bd456dadfd964c788a090b6f37342bff3f5db9093655dcb02e6a1f885e6e99f685c254e73123e36ef47cee331aeb06623df6b6a671b926

            Download Submit

          • C:\MSOCACHE\ALL USERS\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
            Filesize

            627KB

            MD5

            22de8327d9d20d5ce6249869e8fe71bc

            SHA1

            c7191251e00e3c441a0d9f075537f0c3c34ba856

            SHA256

            2ceb3241d15106f4fa14d7d674ca89f63d57685e01a8047592aa384c7dd33f28

            SHA512

            a2ad2e550b75aa39d0952c1876df5571206e34a57a30624fa365db1a144a75bfbcc1f715edcf2f1674f0d5f91be3a9030ddadfdf7bf0b8878e6916ad97c425aa

            Download Submit

          • C:\PROGRAM FILES (X86)\MICROSOFT OFFICE\OFFICE14\BCSSYNC.EXE
            Filesize

            201KB

            MD5

            dd8fd6fe40b53e50740034a0161ecca6

            SHA1

            e9f520fa0446ad39e162a7189c85d63ac566894c

            SHA256

            2f93fe39f48d6f105648c63f18e0c1504679c671dc424c568297ccd0c47ddea5

            SHA512

            e5b03d0001985d8e535fbeab3607a221f3cc1de49408ac5fb19dcf7e8057136eb180dbceb12d870b928abf01e22b3d9db75eab9fcf6abf39f6186b39700045fb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0F76BC8B_Rar\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
            Filesize

            123KB

            MD5

            0b821290c68397ceb82e72bc2461dd75

            SHA1

            abbaf25d5f6b704e96fd8c4c5b7167bedb9ff89a

            SHA256

            da6a93a2ca6474486cf329773e9c9c0d807637e2a4688f9d24dbc20f70da3fb5

            SHA512

            8a5f7427b680882ff4645c8278a50c3b0d58de1e9cdf0e69c2940f94fbef03b47292a9c3a6be08f38e69870efcaf5a7262a0e3f272127021d2fe91b12044da23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3582-490\98324ed82667a759bbdb1b087c3762be2c672e45fc0b00fbd3161f6810fc572fN.exe
            Filesize

            83KB

            MD5

            1a3dcedfc4ec7ba61d6ce98d5f19bc33

            SHA1

            954cb7e1294cc1ccab1320c612940dc856dd53d5

            SHA256

            b555293909b18eb3e9f75ab825c8434c55913c8f1f2f67a0bd8cce41e6b04abd

            SHA512

            34f0aa716b6585068dab63f9f801002fa18d7f711b404711bc3e4351c2dd3798e479feba9969a743522051285b01e7379ec6d150270eea9b4c7eaec919f59925

            Download Submit

          • C:\Windows\SYSTEM.INI
            Filesize

            257B

            MD5

            a003dd2b3ae28a7e4926b01cc2609e08

            SHA1

            30fd9a96f66697babd1d60d6c1fef82854c58d8e

            SHA256

            423b5c9b99aea0feeca2ea4dfbc5209ab2f1bc07b758c8ca2ccaaaef1c13c98d

            SHA512

            b6605fba7cff7a875e699d3ee43219991e49550b2eed953025c94c0065644baa2391595c2fe439e6403e1e01d9259c163c1747edd136fa46f51d61f6c62d17a3

            Download Submit

          • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
            Filesize

            252KB

            MD5

            9e2b9928c89a9d0da1d3e8f4bd96afa7

            SHA1

            ec66cda99f44b62470c6930e5afda061579cde35

            SHA256

            8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

            SHA512

            2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

            Download Submit

          • memory/1040-21-0x00000000001B0000-0x00000000001B2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2704-166-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2704-163-0x0000000001D80000-0x0000000001D81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2704-164-0x0000000001D70000-0x0000000001D72000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2704-134-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2704-49-0x0000000000400000-0x000000000041B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2988-53-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-135-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-32-0x0000000004140000-0x0000000004141000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2988-20-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-48-0x0000000004DE0000-0x0000000004DFB000-memory.dmp

            Filesize

            108KB

            Download

          • memory/2988-47-0x00000000040F0000-0x00000000040F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2988-35-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-36-0x00000000040F0000-0x00000000040F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2988-0-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/2988-34-0x0000000004140000-0x0000000004141000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2988-103-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-127-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-129-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/2988-130-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-131-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-12-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-133-0x00000000040F0000-0x00000000040F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2988-31-0x00000000040F0000-0x00000000040F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2988-137-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-11-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-14-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-157-0x0000000004270000-0x0000000004271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2988-155-0x00000000005C0000-0x00000000005C2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2988-165-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/2988-13-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-167-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-168-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-233-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

            Download

          • memory/2988-234-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-18-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-15-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-10-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-16-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-17-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/2988-8-0x0000000001D70000-0x0000000002DFE000-memory.dmp

            Filesize

            16.6MB

            Download