Analysis
-
max time kernel
160s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:57
Static task
static1
Behavioral task
behavioral1
Sample
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe
Resource
win10-en-20211208
General
-
Target
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe
-
Size
388KB
-
MD5
573ba3a6bd1ed5e08607edd87abf179c
-
SHA1
7c9f4fea91a14701a3e5cb2f851c3dff34fb5ff2
-
SHA256
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902
-
SHA512
98a634a88e9a27ff0807b93a5c38d57554ea71f7b66602e707cbc8bfb4d6af794895d072f10e55f5d51e401be07ab3c62fbd38eeda6b3e64c843e9e0f08a0f35
Malware Config
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3280-119-0x0000000004FB0000-0x0000000004FBC000-memory.dmp family_neshta behavioral2/memory/3280-120-0x0000000000400000-0x0000000004E49000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi/Revil sample 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe family_sodinokobi C:\Users\Admin\AppData\Local\Temp\3582-490\d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe family_sodinokobi -
Executes dropped EXE 1 IoCs
Processes:
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exepid process 948 d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe -
Drops file in Windows directory 1 IoCs
Processes:
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exedescription ioc process File opened for modification C:\Windows\svchost.com d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1320 948 WerFault.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe -
Modifies registry class 1 IoCs
Processes:
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1320 WerFault.exe Token: SeBackupPrivilege 1320 WerFault.exe Token: SeDebugPrivilege 1320 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exedescription pid process target process PID 3280 wrote to memory of 948 3280 d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe PID 3280 wrote to memory of 948 3280 d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe PID 3280 wrote to memory of 948 3280 d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe"C:\Users\Admin\AppData\Local\Temp\d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 2323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exeMD5
6bb36bf45c7b5f05ee94de0fa725ff28
SHA12cbe96f164b9440dc59792174a97bbf883bc1f86
SHA2566587dc9d61cb40c3b10670301c2cb561aa134e8b26c603ff289b732c7f243147
SHA5123ae131b122452a4de174bace23ba022a159cb6d18eda3a6aed64dd1f514d13b8612b135c04c5ce11342ed27b9eae2f4e8327536cc00673b4ab29548ec12143ea
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d53e6eb20d40a10c81e23bd9d6c9ebdf6da3c4620583028def3c517f1db09902.exeMD5
6bb36bf45c7b5f05ee94de0fa725ff28
SHA12cbe96f164b9440dc59792174a97bbf883bc1f86
SHA2566587dc9d61cb40c3b10670301c2cb561aa134e8b26c603ff289b732c7f243147
SHA5123ae131b122452a4de174bace23ba022a159cb6d18eda3a6aed64dd1f514d13b8612b135c04c5ce11342ed27b9eae2f4e8327536cc00673b4ab29548ec12143ea
-
memory/3280-118-0x00000000050F0000-0x0000000005124000-memory.dmpFilesize
208KB
-
memory/3280-119-0x0000000004FB0000-0x0000000004FBC000-memory.dmpFilesize
48KB
-
memory/3280-120-0x0000000000400000-0x0000000004E49000-memory.dmpFilesize
74.3MB