Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-10-2021 18:57
Static task
static1
Behavioral task
behavioral1
Sample
8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
Resource
win10-en-20210920
General
-
Target
8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
-
Size
234KB
-
MD5
8d97ea0aeb6dbb5bfe61a2a45809dd90
-
SHA1
c2abdfefadc76b9f78b500f5b3aba9321a5d42e1
-
SHA256
8397681fb127b7050397870b95f23d310f2e62ee5c2e3a7410d2daeec99e9e06
-
SHA512
b199abfc0abe5f46873ceaccd287e973a6285d40caeb9320f126bfdc081f4bbd8dc706a2a2ca74a305fd5666772db877cb6bc1ea35448585941b1f191405779e
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
8d97ea0aeb6dbb5bfe61a2a45809dd90.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
Processes:
8d97ea0aeb6dbb5bfe61a2a45809dd90.exepid process 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
8d97ea0aeb6dbb5bfe61a2a45809dd90.exedescription ioc process File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe -
Drops file in Windows directory 1 IoCs
Processes:
8d97ea0aeb6dbb5bfe61a2a45809dd90.exedescription ioc process File opened for modification C:\Windows\svchost.com 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
8d97ea0aeb6dbb5bfe61a2a45809dd90.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
8d97ea0aeb6dbb5bfe61a2a45809dd90.exedescription pid process target process PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe PID 4044 wrote to memory of 4028 4044 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe 8d97ea0aeb6dbb5bfe61a2a45809dd90.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"C:\Users\Admin\AppData\Local\Temp\8d97ea0aeb6dbb5bfe61a2a45809dd90.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsjD97A.tmp\vskgzcgvn.dllMD5
879fe70b7d9b58770c4c5ff43b6af498
SHA1f9fd57ae071014e5ccb32440ee52d2c51166a0c3
SHA256cabc6346c99a2f74c7cac1d4c1f83538cce9b0047c8437e240af03338b73f192
SHA51249a6740fea7f230da9808b46b6f2f896c05894b4dad923cbdd1fec0859e4bd4afc2fddca4655b7d2e3553e5e36605f73db2b64fde9a509a4fcf957eec87d3773
-
memory/4028-116-0x0000000000000000-mapping.dmp
-
memory/4028-117-0x00000000001D0000-0x00000000001EB000-memory.dmpFilesize
108KB