Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
06-02-2025 18:44
General
-
Target
setup2.exe
-
Size
4.6MB
-
MD5
3bae9204971b7e382a02dfd3e33c2a6f
-
SHA1
ea6bc8a4f03eb8baa3624d17c6d58425618834e3
-
SHA256
1c3c50e64d6b5db97bb41172e346a80a4494a834ee0049f382f0bc3e2d009a45
-
SHA512
e563a8bf51c7e4e81400470922a742d5da1c5c5da97e9c5555bf2aa76254eacfee736ad5b7376a3f906382ee72ff1e60ad60b2f130c5efbb56eb521ab3a1e195
-
SSDEEP
49152:psen+GsFHsaSX99dA6jqlUXTG5V8tJip/A9Z/MbIlSE2t7B6dfzOqBRQeKgw0vTd:psenIMnlq3I9Zb07B6RRHU/0vTd
Malware Config
Signatures
-
Detect Neshta payload 30 IoCs
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 12 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup2.exe"C:\Users\Admin\AppData\Local\Temp\setup2.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\setup2.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\setup2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\Setup.exeC:\PROGRA~1\Setup.exe4⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c TASKKILL /F /IM explorer.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM explorer.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c TASKKILL /F /IM regedit.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM regedit.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
Filesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
Filesize
164KB
MD55776a4ef7f492636c052ae64b35bf4ce
SHA133f56f902e20ed138baa351f7446bf40abdd62c9
SHA25642ded6072e28ed5394b0a832a0559b8e618490764f2490dbedcf7e5479537573
SHA512829e286fd303577c2c6352c6279b084055f2bb772650f7b26d4b0a1c7c0185385ed8bde855fcc598c09ccd79ed92fcbf47537c7ea09786fddb6005dee3b9ae6d
-
Filesize
8.1MB
MD52a845f8cf2a83d8586ebd7c4d798e9c9
SHA19e087b3c08fb7f55bf59472296af0e3eb340e1aa
SHA256e30290a28535b5a9acfdc341edd492640375678c1dd6285f41acddbf994fa5b3
SHA5127cf832e0c6f49ba1f0f3030d98cc9d19a265ad344dfa6073b33b058083a2155ba582da42ea63266b61198502ac7671b7e6e37b430621f4f25bbaa020356ffb5f
-
Filesize
285KB
MD5831270ac3db358cdbef5535b0b3a44e6
SHA1c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450
-
Filesize
313KB
MD58c4f4eb73490ca2445d8577cf4bb3c81
SHA10f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA25685f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA51265453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769
-
Filesize
569KB
MD5eef2f834c8d65585af63916d23b07c36
SHA18cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA2563cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA5122ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7
-
Filesize
381KB
MD53ec4922dbca2d07815cf28144193ded9
SHA175cda36469743fbc292da2684e76a26473f04a6d
SHA2560587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7
-
Filesize
137KB
MD5e1833678885f02b5e3cf1b3953456557
SHA1c197e763500002bc76a8d503933f1f6082a8507a
SHA256bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe
-
Filesize
588KB
MD5c275134502929608464f4400dd4971ab
SHA1107b91a5249425c83700d64aff4b57652039699d
SHA256ca5263f340cc735ba279532bbd9fe505fcf05d81b52614e05aff31c14d18f831
SHA512913cadcb575519f924333c80588781caecd6cd5f176dc22ac7391f154ffc3b3f7302d010433c22c96fde3591cac79df3252798e52abf5706517493ef87a7ef7d
-
Filesize
194KB
MD57ed0f5802e7fc1243b7c82862c5bf87c
SHA1e16741b5050df662da25419da6cf80517fc2a46a
SHA2563342cf175e2c42ee691ba58cf7f6d6db3116f615b5483327fed706067b265595
SHA512a006888ed6dbd9dd548f84d57c84e3baccc1ee5c09d2d127ce26c3f01af59e8531bc43b4f986aa45d8853f3d71a87dec2adbd34bd75a182e4f45111c69339fef
-
Filesize
741KB
MD509b6228693dcd65633fac31ad27b94e0
SHA108b21aacdf04d2f57bdaa771f11c0d4cd49d525a
SHA25654fb0e770f9ae89610dcf701ffb0de1e37ad287d2e58fc6ab7042b384060fd8e
SHA512fd3af4cd805be8ddfc172eb97edb5241ee2543af90bc0c74aa66144a6fae56e1dd413996d190d3849756a36ffe75aec464ec310ade5a0c61152aaf5f740402e4
-
Filesize
735KB
MD5cdbd2a917b44ccd70a4a961913b286fb
SHA14a81506be51c467e061f603379ddd1b21f9cf4a9
SHA256f6e9195020226b54ec4026810b7d941ed7d2c7b41f7caa78917f0911ca3a5927
SHA5122cd086690e3629c08e2e2cf60beacd41c4ae61787690901f1dcc9996ef783c048bff892244325dfadbfdf1919353d19a5d7d6f9541c18dc802420f6346edf8cd
-
Filesize
184KB
MD567a6e518de5b8401669ccf03059f1bac
SHA198ccf378e8c7e3ada48c4f6ca52b9293e141ce84
SHA256c554dfea900392e9eb4a0ab658f76a5a1de1e41bdce80382b5943dd78fc9516f
SHA5124e7b1922328d1e05e7faf456f61375df081faacca415c5242e12f081dee4d7f03835a9776295c77e7788984188f27ff358d72bc9100dbb250975aaaf2e95777c
-
Filesize
647KB
MD5f642d1d17c9c11fd36c861ec464ef3bc
SHA12bcfbe7d7af87c420949472f1c854be44df9c7ba
SHA256ef98853ac7877333baf3f8be301402d5f6b894a7f87af7b01f3fca7ef63f6cc3
SHA5120a7ce3d2a06f759f0fe5c6f611845d4ad255ad51ff5e99ed3c03449273d8c763c81edeeab3e0f3e150192441263d4c7aad232afcc320a52c17bb0c9f336f1bd4
-
Filesize
1.8MB
MD5fc87e701e7aab07cd97897512ab33660
SHA165dcd8e5715f2e4973fb6b271ffcb4af9cefae53
SHA256bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46
SHA512b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec
-
Filesize
1.5MB
MD5361e4d0109807311ec8d055a2752da45
SHA1d5d9a8e4d0dd912e391c304766b49ef7ff839acb
SHA256f393234dadf9221f87711c11f39323b0db4c6ba4311ce9008e5251f8c55eb746
SHA5122ba3a7f12620a381a311efd69f2fbeb625e3483d4b9efaae7098269e13ddfed1d1a254356cd385d76b5032f52587e3a2b81cf4a4b9857a9478dced566e539e99
-
Filesize
674KB
MD597510a7d9bf0811a6ea89fad85a9f3f3
SHA12ac0c49b66a92789be65580a38ae9798237711db
SHA256c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA5122a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb
-
Filesize
495KB
MD59597098cfbc45fae685d9480d135ed13
SHA184401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA25645966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA51216afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164
-
Filesize
495KB
MD507e194ce831b1846111eb6c8b176c86e
SHA1b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA51255f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5
-
Filesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
Filesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
Filesize
485KB
MD587f15006aea3b4433e226882a56f188d
SHA1e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA2568d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1
-
Filesize
8B
MD5d868c7a8d6e8cc9ba9bbdf25f3fa70bc
SHA1aca0283aea7eb69565dfe4369f96aece1bfa7baf
SHA2566d12e12a09fd7cf7a0d64b2fd009901da117a4155fac72a896d6a187b65d4d8b
SHA51282a70ba23307c2ba832c52e720100ae38126407dbf62ead31a3ed30388dd9f1e5d8b2d39454685d5c78d58557fc28fde389fbb9ca2ad3d708264a8f03b57e481
-
Filesize
40KB
MD5e1fa47d24575322a53cd03ffbefd1e1e
SHA1fc1046b440945956100d357cdc7182673c8ed6da
SHA2568b5ebced86c559a046b6a5c50574951e381bc16e92eba8bdae457c423f073f77
SHA51227eff70ac170454b490869bf809d34f55ae2b5585802b2192e68f86f2cf7594d9d6e2bfea6cc1eb5f51acc4513707309500689fb8e5af35bd18c454763d3ca9f
-
Filesize
177KB
MD5b971f35ffcbbb307761eb89a21df12a7
SHA170de69bc3a53603eab2d83eae1363ce2448207cc
SHA25605a30beb390ea86ca143a7e8f03c0a7aab7ddaf63229ee0d76366a217db9d864
SHA512ea01509f808daeb4d5404c86162191f8f43a8fb009dc2be45b6d32e730b457c16c07d0ca56f56eb5f2f212507b7fa25da86dd1676ae480b147e633cacbc2b2c8
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
4.5MB
MD501aa3be73ae3cb82a28c4c2ba71dae76
SHA1adc91a9f80fde014e597fac39bb8aba14f63f8aa
SHA256e9e8cf4b3daf9ba274e2eee7c5a0f80e55b0f04c2ceb55e98d24f9d9b5d030f6
SHA5129320aa93bfd6f4fa6d54e288ce4da1388d09701e1f7491113c34cf67840caba8413aeff3fb32eda4eb862bbeed0f1c6616960040b44185fc236383c82bf06027
-
Filesize
46KB
MD5a44bca08e8ed65e636f8b68960b8d7ea
SHA11803024e3e62f51d474e832b67d2d8ec167b96de
SHA25626bb0541924fd7f96c22df5b4f7b8cabd88ea440dd19ddefb4e2754f17eb0df4
SHA512c83a5c4b5f38767e74b67b81f83635459e9165e4bc6574c53e77e57cfb1107aa435172375e8eee44e7fce2b50ec8f108dc8d609bad332798740de7cb6cf51e4c
-
Filesize
68KB
MD52f8bc6c1741bc86ee012f444c56d192e
SHA1c4840d4d39dd8fafe4248ab96082860a0db02f6f
SHA256ec6f6310e3a08ad80ea159c336e93cc024dae223a5bd4b08ae2e0351941aec07
SHA5126a8e415f5d14f56a29541d50f7277f66222f4f1374fdb1f1892ce51dbc29e5ef766552518a2c78b8ae0bb5820b6eb3330b2dc9595f80b78ef6131de069a8c76e
-
Filesize
43KB
MD520d9c2a35bb008a6a64e0986f9aa7d51
SHA156175f6a3721fffd4a81085ad8bdfe175e9cb781
SHA2564f47c6230af39d0187384611dd3703fd2130b28da86fec7ae0bbecde88a2f05d
SHA5122de299f7b7733073f0306cf0b84cde49ccf3315e55928bda42351456d9d9af305894dcee295d87516aa10712630b45eb3e3d62bf494980bb2db3265647d0575d
-
Filesize
4.6MB
MD55483bd2f68e4be087be99e938c4de8fc
SHA1e5e56d93b69197f11f87d8dd3e84a9697b4ced29
SHA256e452640009a12c3a666a425515953ebd3ca29a9064ed616671d722d31f9d2dfd
SHA5123619d7f95d48c0840439d59a81bf3e6050f445e0158527aa24d98702f5cd6a67298947e999d23cfba80b0d279afae81eddc75d24a455bc484f7b3586482b2bb2
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
108KB
-
Filesize
68KB
-
Filesize
144KB
-
Filesize
384KB
-
Filesize
4.9MB
-
Filesize
520KB
-
Filesize
384KB
-
Filesize
3.1MB
-
Filesize
520KB
-
Filesize
144KB
-
Filesize
60KB