Overview

overview

10

Static

static

10

9be084ce05...85.exe

windows7_x64

10

9be084ce05...85.exe

windows10_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9be084ce0587d50c894f337439b0f93c42da949bb1aa7d98e1f86f9df37d8885.exe

  • Size

    513KB

  • MD5

    85ffc86df081fdc9c5d56546ec1303d9

  • SHA1

    890a52b1d59768fb66b563b3534650505d24c0c5

  • SHA256

    9be084ce0587d50c894f337439b0f93c42da949bb1aa7d98e1f86f9df37d8885

  • SHA512

    fa8dc635b1a745ef5db5debd424b08b287d16726c84d8e27885465da7689b73aa2dfc221747bda2083a989072f3bbda9694a932e3619819ec3cf0f051f5b3ebb

Score
10/10
neshtasodinokibipersistenceransomwarespywarestealer

Malware Config

Signatures

  • Detect Neshta Payload 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9be084ce0587d50c894f337439b0f93c42da949bb1aa7d98e1f86f9df37d8885.exe
    "C:\Users\Admin\AppData\Local\Temp\9be084ce0587d50c894f337439b0f93c42da949bb1aa7d98e1f86f9df37d8885.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:504
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 864
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 876
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 968
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:420
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 1020
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 988
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 972
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Users\Admin\AppData\Local\Temp\3582-490\9be084ce0587d50c894f337439b0f93c42da949bb1aa7d98e1f86f9df37d8885.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\9be084ce0587d50c894f337439b0f93c42da949bb1aa7d98e1f86f9df37d8885.exe"
      2⤵
      • Executes dropped EXE
      PID:2968
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 232
        3⤵
        • Program crash
        • Suspicious use of AdjustPrivilegeToken
        PID:3540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 1244
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 1168
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\9be084ce0587d50c894f337439b0f93c42da949bb1aa7d98e1f86f9df37d8885.exe
    MD5

    649ff497debe579e8d2717c7e6127bce

    SHA1

    009434c92402b7e1abdf5622cdd9507ba5c1a01f

    SHA256

    dd15f8cf54916066e76cb48b73cc20af566e16833648328dfff4605a5c49da99

    SHA512

    5958f8c8e3521ae52d2bfba55092b738576bf5b38e428949169e7fcecf4286b9c04240b77b226d74e5132675b21dd3e301930d6ca5ce770e634795d132ddeabc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\9be084ce0587d50c894f337439b0f93c42da949bb1aa7d98e1f86f9df37d8885.exe
    MD5

    649ff497debe579e8d2717c7e6127bce

    SHA1

    009434c92402b7e1abdf5622cdd9507ba5c1a01f

    SHA256

    dd15f8cf54916066e76cb48b73cc20af566e16833648328dfff4605a5c49da99

    SHA512

    5958f8c8e3521ae52d2bfba55092b738576bf5b38e428949169e7fcecf4286b9c04240b77b226d74e5132675b21dd3e301930d6ca5ce770e634795d132ddeabc

    Download Submit

  • memory/504-118-0x0000000000A10000-0x0000000000A42000-memory.dmp

    Filesize

    200KB

    Download

  • memory/504-119-0x00000000008C0000-0x0000000000A0A000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/504-120-0x0000000000400000-0x0000000000789000-memory.dmp

    Filesize

    3.5MB

    Download