Overview

overview

10

Static

static

10

39505bf9b6...97.exe

windows7-x64

10

39505bf9b6...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-02-2025 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39505bf9b61e4886a5e886d9ec0b50f00ce691c8c7c6934fdb62a90ee0eb7997.exe

  • Size

    101KB

  • MD5

    7e7c78851deff9d56a07aa149014f4f0

  • SHA1

    5f4caa9c70e3aa6994c76a416a3192b272879475

  • SHA256

    39505bf9b61e4886a5e886d9ec0b50f00ce691c8c7c6934fdb62a90ee0eb7997

  • SHA512

    0e07c6c400472d4322c438efc1e3a2e528dc764ee342baaddd25e75db4a3005d717f0e6d4b975eba6a7acb8483515f7e82b0887dbf0d42679c4c83c68fe00625

  • SSDEEP

    1536:JxqjQ+P04wsmJCgQ5eVOH9SNI5bj/OWVsqXl9ikVruPWVRDFaNIp1kbgwyr:sr85CAVOHUNIbj/OYlXqe1EIbkbgnr

Score
10/10
neshtaxwormdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:6000

74.249.113.208:6000
Attributes
  • install_file

    USB.exe

Signatures

  • Detect Neshta payload 5 IoCs
  • Detect Xworm Payload 2 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Neshta family
    neshta
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39505bf9b61e4886a5e886d9ec0b50f00ce691c8c7c6934fdb62a90ee0eb7997.exe
    "C:\Users\Admin\AppData\Local\Temp\39505bf9b61e4886a5e886d9ec0b50f00ce691c8c7c6934fdb62a90ee0eb7997.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\3582-490\39505bf9b61e4886a5e886d9ec0b50f00ce691c8c7c6934fdb62a90ee0eb7997.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\39505bf9b61e4886a5e886d9ec0b50f00ce691c8c7c6934fdb62a90ee0eb7997.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUY3REI5RDItMURDQS00MEE4LTkzN0EtOENGMzRCN0FGMTFCfSIgdXNlcmlkPSJ7RTkxOUQzRUItNEM0NS00RTBELTk3QzYtMzNBOEE1RUVDNEVCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDY3OUZGRUEtQzRGQi00NDUzLUFCRTEtMEE0QkJDRkVFQjdDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4MzAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTE0Njg3NjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODMyNjE2OTM4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
    Filesize

    86KB

    MD5

    3b73078a714bf61d1c19ebc3afc0e454

    SHA1

    9abeabd74613a2f533e2244c9ee6f967188e4e7e

    SHA256

    ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

    SHA512

    75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\39505bf9b61e4886a5e886d9ec0b50f00ce691c8c7c6934fdb62a90ee0eb7997.exe
    Filesize

    60KB

    MD5

    64c62bd8f4f6cc59800fbd0c5db24f6f

    SHA1

    d8a4cab2cfe708116347c8d45a4ed531b4bd18a9

    SHA256

    621a4767b78e23621629f3abcc77504163a9effdcd13ea9aaa561a2044bbb5fa

    SHA512

    bbc6a618eca27a2465165317afbbeb03b81200aa8662adb0049f5504534ec0c780d265419317640d06f561e1ad9ff8703a04dd2d95ca72392a88c99931523f6a

    Download Submit

  • memory/1808-128-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1808-131-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1808-132-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1808-134-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2028-13-0x00000000003A0000-0x00000000003B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2028-12-0x00007FF9BEA43000-0x00007FF9BEA45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-126-0x00007FF9BEA40000-0x00007FF9BF501000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2028-127-0x00007FF9BEA43000-0x00007FF9BEA45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2028-129-0x00007FF9BEA40000-0x00007FF9BF501000-memory.dmp

    Filesize

    10.8MB

    Download