Analysis
-
max time kernel
121s -
max time network
134s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
df330ab2a2e5aa4ac947315ee3f93992.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
df330ab2a2e5aa4ac947315ee3f93992.exe
Resource
win10-en-20211014
General
-
Target
df330ab2a2e5aa4ac947315ee3f93992.exe
-
Size
230KB
-
MD5
df330ab2a2e5aa4ac947315ee3f93992
-
SHA1
76b5d1eee342b47fe58e2136a067712cbd210351
-
SHA256
99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
-
SHA512
e65f573d68e8f198024028d553210095173d1551e6074b60d9543977116a0286f75641f4692049a49e6cd03729b001027136419d6cf0c71645e800d5522ed895
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
df330ab2a2e5aa4ac947315ee3f93992.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" df330ab2a2e5aa4ac947315ee3f93992.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
df330ab2a2e5aa4ac947315ee3f93992.exepid process 3408 df330ab2a2e5aa4ac947315ee3f93992.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
df330ab2a2e5aa4ac947315ee3f93992.exedescription ioc process File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE df330ab2a2e5aa4ac947315ee3f93992.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe df330ab2a2e5aa4ac947315ee3f93992.exe -
Drops file in Windows directory 1 IoCs
Processes:
df330ab2a2e5aa4ac947315ee3f93992.exedescription ioc process File opened for modification C:\Windows\svchost.com df330ab2a2e5aa4ac947315ee3f93992.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
df330ab2a2e5aa4ac947315ee3f93992.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" df330ab2a2e5aa4ac947315ee3f93992.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
df330ab2a2e5aa4ac947315ee3f93992.exedescription pid process target process PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe PID 3408 wrote to memory of 1132 3408 df330ab2a2e5aa4ac947315ee3f93992.exe df330ab2a2e5aa4ac947315ee3f93992.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1132
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsgFA40.tmp\oxtrp.dllMD5
c2c405109b51233def2b5bf15ffd2308
SHA114debd98b26edba7788aafcaa41f1d32e8fe1cbc
SHA2567e16ed39ba05c887e6d1b470b6cc8de06fd67ed81fb2da85f645cfbc643ca154
SHA5121c209d4110dc5295d5ba951cf5a22d62ab1bf65d9b5bf66f4c6a2e8e2f2cfd339f06cddf6b956d5f9a567ec8206d607753833ce94e14149d5bbc1b596c91b80b
-
memory/1132-119-0x0000000000000000-mapping.dmp
-
memory/1132-120-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB