Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
17-11-2021 15:36
General
-
Target
186ee2b0fbae609d44351da0241dd0ec.exe
-
Size
900KB
-
MD5
186ee2b0fbae609d44351da0241dd0ec
-
SHA1
24a9e98e48c1b5a62cc01456fd7eb2d2782d4f90
-
SHA256
6315729f81fe55e4121e212fe2fb769e9cfbfba2178df45be066d5921817e371
-
SHA512
e52df0cb502fa5269c994cee6b231ab48935f68be1beed9db1b4c3a96425a7868f4d6dac6b1353d88a025992200063cc7c86ad6289939075e1b570e2cbd97b52
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"2⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
memory/972-55-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/972-57-0x0000000076A21000-0x0000000076A23000-memory.dmpFilesize
8KB
-
memory/972-58-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/972-59-0x0000000000380000-0x0000000000387000-memory.dmpFilesize
28KB
-
memory/972-60-0x0000000004A30000-0x0000000004A92000-memory.dmpFilesize
392KB
-
memory/972-61-0x0000000000560000-0x00000000005A0000-memory.dmpFilesize
256KB
-
memory/1892-64-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-63-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-65-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-66-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-67-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-68-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-70-0x0000000000408178-mapping.dmp
-
memory/1892-69-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-72-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1892-62-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB