Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 08:48
Static task
static1
Behavioral task
behavioral1
Sample
a503bf5f5a7aefd063ad1ce5c0c244ed.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a503bf5f5a7aefd063ad1ce5c0c244ed.exe
Resource
win10-en-20210920
General
-
Target
a503bf5f5a7aefd063ad1ce5c0c244ed.exe
-
Size
272KB
-
MD5
a503bf5f5a7aefd063ad1ce5c0c244ed
-
SHA1
4fdf77348d0d33804254ab3e0761fe2a4ef5f82d
-
SHA256
bd0eb6fff38b72907c56ad02467144b61744a7d24a054ce14eddf779854180ca
-
SHA512
08286e00054005b6feaaef4c27e806c0cd5fd781d4f97e9e7118489bfee4ab7d102d21e86f25e1d615ae917e246e48beae703950c9b2d3ac51b3871b56f8f52f
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
a503bf5f5a7aefd063ad1ce5c0c244ed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a503bf5f5a7aefd063ad1ce5c0c244ed.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
a503bf5f5a7aefd063ad1ce5c0c244ed.exepid process 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
a503bf5f5a7aefd063ad1ce5c0c244ed.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE a503bf5f5a7aefd063ad1ce5c0c244ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe -
Drops file in Windows directory 1 IoCs
Processes:
a503bf5f5a7aefd063ad1ce5c0c244ed.exedescription ioc process File opened for modification C:\Windows\svchost.com a503bf5f5a7aefd063ad1ce5c0c244ed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
a503bf5f5a7aefd063ad1ce5c0c244ed.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a503bf5f5a7aefd063ad1ce5c0c244ed.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
a503bf5f5a7aefd063ad1ce5c0c244ed.exedescription pid process target process PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe PID 2352 wrote to memory of 2428 2352 a503bf5f5a7aefd063ad1ce5c0c244ed.exe a503bf5f5a7aefd063ad1ce5c0c244ed.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a503bf5f5a7aefd063ad1ce5c0c244ed.exe"C:\Users\Admin\AppData\Local\Temp\a503bf5f5a7aefd063ad1ce5c0c244ed.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\a503bf5f5a7aefd063ad1ce5c0c244ed.exe"C:\Users\Admin\AppData\Local\Temp\a503bf5f5a7aefd063ad1ce5c0c244ed.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst9D12.tmp\wcttpp.dllMD5
5a72fd39b2efe488fc0c84b9e9380c51
SHA14a6dd35c6cc3af986250374b2e5af2000791f77a
SHA256930274a00c6b8397b2d03b177ef61f2de0edf8a767e03a6891b35deca7926077
SHA512e2ea0ca20059fc9da46bd0074ee595fa046ec49351c1feb362c59a458947e1d44df95aa9fd6fe6f0be66c85e31152c60557189cd26bd4917dfec9452d4872bc0
-
memory/2428-116-0x0000000000000000-mapping.dmp
-
memory/2428-117-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB