Analysis
-
max time kernel
201s -
max time network
218s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 02:36
Static task
static1
Behavioral task
behavioral1
Sample
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe
Resource
win10-en-20211208
General
-
Target
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe
-
Size
4.1MB
-
MD5
d6e27197a91b203abf9d53e5efc1848c
-
SHA1
d12a1d69d0afeac94913aca59e5d7e8f2099288e
-
SHA256
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a
-
SHA512
002eabbb5e5087cc0015c579691b2a4f93a02532d7b0e379075143a16f0a938319ad292625aa141c7467707e39a1d8825593b74a71ca02cd01f419fa7369bf64
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exepid process 4036 bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 53 IoCs
Processes:
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe -
Drops file in Windows directory 1 IoCs
Processes:
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exedescription ioc process File opened for modification C:\Windows\svchost.com bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exedescription pid process target process PID 1212 wrote to memory of 4036 1212 bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe PID 1212 wrote to memory of 4036 1212 bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe PID 1212 wrote to memory of 4036 1212 bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe"C:\Users\Admin\AppData\Local\Temp\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\3582-490\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exe"2⤵
- Executes dropped EXE
PID:4036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exeMD5
5efbf9c8aff4e52db51ad1713ff4567b
SHA12a2214b1e97d832817fe0e2f3a3824df2bc0b8fb
SHA2563e64d064e56fec78714b245353ccdac8423e95d2ebe103511934a309487b4fd5
SHA512f4b38b593747884234bb572e6b05e97a91152ad61dfab9f9417d5b0e276e3267abca7b9d94365e5452ffcfcdc091f41cd547615827413442666ebc1587c7d8ef
-
C:\Users\Admin\AppData\Local\Temp\3582-490\bcde9e1719f9f6e801bd21851546db341cfee05b64241f6c07220bea4803f52a.exeMD5
5efbf9c8aff4e52db51ad1713ff4567b
SHA12a2214b1e97d832817fe0e2f3a3824df2bc0b8fb
SHA2563e64d064e56fec78714b245353ccdac8423e95d2ebe103511934a309487b4fd5
SHA512f4b38b593747884234bb572e6b05e97a91152ad61dfab9f9417d5b0e276e3267abca7b9d94365e5452ffcfcdc091f41cd547615827413442666ebc1587c7d8ef