Analysis
-
max time kernel
78s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 11:00
Static task
static1
Behavioral task
behavioral1
Sample
1be75ae8266bee2a29b8846a503fbd44.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
1be75ae8266bee2a29b8846a503fbd44.exe
Resource
win10-en-20210920
General
-
Target
1be75ae8266bee2a29b8846a503fbd44.exe
-
Size
234KB
-
MD5
1be75ae8266bee2a29b8846a503fbd44
-
SHA1
c7c70d46a08ee09f94e65cadbb86eeb706989db5
-
SHA256
6abec81da375b886b6e0fe09360f68980fcc3f51f00dbcdaf3a7945420e73b57
-
SHA512
e478fc3f17cbd151e08a96977706e3976c34bbaaf0a4dec01b7bef9d461dd78a5f6e8449d6cdf46850b20746df9887ca993befe3cce1dbe27a9eb2b7960842d0
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
1be75ae8266bee2a29b8846a503fbd44.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1be75ae8266bee2a29b8846a503fbd44.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
1be75ae8266bee2a29b8846a503fbd44.exepid process 2516 1be75ae8266bee2a29b8846a503fbd44.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
1be75ae8266bee2a29b8846a503fbd44.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 1be75ae8266bee2a29b8846a503fbd44.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 1be75ae8266bee2a29b8846a503fbd44.exe -
Drops file in Windows directory 1 IoCs
Processes:
1be75ae8266bee2a29b8846a503fbd44.exedescription ioc process File opened for modification C:\Windows\svchost.com 1be75ae8266bee2a29b8846a503fbd44.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
1be75ae8266bee2a29b8846a503fbd44.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1be75ae8266bee2a29b8846a503fbd44.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
1be75ae8266bee2a29b8846a503fbd44.exedescription pid process target process PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe PID 2516 wrote to memory of 3176 2516 1be75ae8266bee2a29b8846a503fbd44.exe 1be75ae8266bee2a29b8846a503fbd44.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"C:\Users\Admin\AppData\Local\Temp\1be75ae8266bee2a29b8846a503fbd44.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsfAB74.tmp\xwaahew.dllMD5
1792a656868a4d2689ed3d4b577d7426
SHA1bb62d812490c8d3154b9f34d72d75b9c0239d820
SHA256ec60e96dc49a9fc57aabe1a6c6fcd58bab85010916de0b299a95af44ef332dd1
SHA512b2408f5c9d1752f01189a180912e6d985e929a95c82904028157eeda33e01a7bfb654dd7930faee97af97ec1f5162b4e7b0d7777d11ddeeb39b4c0c520aa62ff
-
memory/3176-116-0x0000000000000000-mapping.dmp
-
memory/3176-117-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB