Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
17-11-2021 15:36
Static task
static1
Behavioral task
behavioral1
Sample
186ee2b0fbae609d44351da0241dd0ec.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
186ee2b0fbae609d44351da0241dd0ec.exe
Resource
win10-en-20211014
General
-
Target
186ee2b0fbae609d44351da0241dd0ec.exe
-
Size
900KB
-
MD5
186ee2b0fbae609d44351da0241dd0ec
-
SHA1
24a9e98e48c1b5a62cc01456fd7eb2d2782d4f90
-
SHA256
6315729f81fe55e4121e212fe2fb769e9cfbfba2178df45be066d5921817e371
-
SHA512
e52df0cb502fa5269c994cee6b231ab48935f68be1beed9db1b4c3a96425a7868f4d6dac6b1353d88a025992200063cc7c86ad6289939075e1b570e2cbd97b52
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
186ee2b0fbae609d44351da0241dd0ec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 186ee2b0fbae609d44351da0241dd0ec.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
186ee2b0fbae609d44351da0241dd0ec.exedescription pid process target process PID 1960 set thread context of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe -
Drops file in Program Files directory 53 IoCs
Processes:
186ee2b0fbae609d44351da0241dd0ec.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 186ee2b0fbae609d44351da0241dd0ec.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 186ee2b0fbae609d44351da0241dd0ec.exe -
Drops file in Windows directory 1 IoCs
Processes:
186ee2b0fbae609d44351da0241dd0ec.exedescription ioc process File opened for modification C:\Windows\svchost.com 186ee2b0fbae609d44351da0241dd0ec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
186ee2b0fbae609d44351da0241dd0ec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 186ee2b0fbae609d44351da0241dd0ec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
186ee2b0fbae609d44351da0241dd0ec.exepid process 1960 186ee2b0fbae609d44351da0241dd0ec.exe 1960 186ee2b0fbae609d44351da0241dd0ec.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
186ee2b0fbae609d44351da0241dd0ec.exedescription pid process Token: SeDebugPrivilege 1960 186ee2b0fbae609d44351da0241dd0ec.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
186ee2b0fbae609d44351da0241dd0ec.exedescription pid process target process PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe PID 1960 wrote to memory of 3676 1960 186ee2b0fbae609d44351da0241dd0ec.exe 186ee2b0fbae609d44351da0241dd0ec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"C:\Users\Admin\AppData\Local\Temp\186ee2b0fbae609d44351da0241dd0ec.exe"2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1960-115-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/1960-117-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/1960-118-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/1960-119-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/1960-120-0x0000000004EB0000-0x00000000053AE000-memory.dmpFilesize
5.0MB
-
memory/1960-121-0x00000000051D0000-0x00000000051D7000-memory.dmpFilesize
28KB
-
memory/1960-122-0x0000000007700000-0x0000000007701000-memory.dmpFilesize
4KB
-
memory/1960-123-0x00000000078A0000-0x0000000007902000-memory.dmpFilesize
392KB
-
memory/1960-124-0x0000000007910000-0x0000000007950000-memory.dmpFilesize
256KB
-
memory/3676-125-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3676-126-0x0000000000408178-mapping.dmp
-
memory/3676-127-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB