Analysis
-
max time kernel
179s -
max time network
197s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 09:40
Static task
static1
Behavioral task
behavioral1
Sample
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
Resource
win10-en-20211208
General
-
Target
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
-
Size
756KB
-
MD5
9f8e178a38f1dd82bffc1f355ea267de
-
SHA1
2334987b49fa6a0c7c6e3bdc0dd1dcb9d3f1effc
-
SHA256
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b
-
SHA512
f0abfe970b897cc4b594af264aa9f721e3b29d7e2b235fc06a2392a4a582f8afe03f257e48791e0b6c08aa2ade3f794d815657234f8d465efb97545b24ea5df1
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exesetup_wm.exepid process 2564 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe 2348 setup_wm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe -
Drops file in Program Files directory 53 IoCs
Processes:
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exedescription ioc process File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe -
Drops file in Windows directory 1 IoCs
Processes:
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exedescription ioc process File opened for modification C:\Windows\svchost.com 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exedescription pid process target process PID 2400 wrote to memory of 2564 2400 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe PID 2400 wrote to memory of 2564 2400 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe PID 2400 wrote to memory of 2564 2400 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe PID 2564 wrote to memory of 2348 2564 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe setup_wm.exe PID 2564 wrote to memory of 2348 2564 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe setup_wm.exe PID 2564 wrote to memory of 2348 2564 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe setup_wm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe"C:\Users\Admin\AppData\Local\Temp\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe /AnyOS3⤵
- Executes dropped EXE
PID:2348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exeMD5
bfc13d7005e9db75b0f806c8f3b0d1d6
SHA18adb420b56288f80dde5a9fad6c4e0c860a37ae3
SHA256a42909390664ebeeaa7e68fedf97b931bb248e5e6943997eaa67b2ed26d02319
SHA5121691f66b3f953bbde16c043b48dd1ea79c507e7c8adfa4705f2934cd0cc83450103515441402041a1449a889660ae76a71362edf27b52c884e61f3f6852ea8a8
-
C:\Users\Admin\AppData\Local\Temp\3582-490\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exeMD5
bfc13d7005e9db75b0f806c8f3b0d1d6
SHA18adb420b56288f80dde5a9fad6c4e0c860a37ae3
SHA256a42909390664ebeeaa7e68fedf97b931bb248e5e6943997eaa67b2ed26d02319
SHA5121691f66b3f953bbde16c043b48dd1ea79c507e7c8adfa4705f2934cd0cc83450103515441402041a1449a889660ae76a71362edf27b52c884e61f3f6852ea8a8
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exeMD5
fb7432d3076400b2389b8da2374e7b02
SHA15418be5da6c9d432a03bf5618ea5dee0eb344fd6
SHA2564656693bf4b68e00daf30842566811120121f14da314a42af0e0e766c4463ecf
SHA51231127874db4345a98969c37a939cbcc19f18caff16200949ce98f4dc96dc70c83680b2cc4e97044364065e48524afdcbd72b51e33e0f0a6089fc64723e7733f3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exeMD5
fb7432d3076400b2389b8da2374e7b02
SHA15418be5da6c9d432a03bf5618ea5dee0eb344fd6
SHA2564656693bf4b68e00daf30842566811120121f14da314a42af0e0e766c4463ecf
SHA51231127874db4345a98969c37a939cbcc19f18caff16200949ce98f4dc96dc70c83680b2cc4e97044364065e48524afdcbd72b51e33e0f0a6089fc64723e7733f3