Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-01-2022 18:07
Static task
static1
Behavioral task
behavioral1
Sample
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
Resource
win10-en-20211208
General
-
Target
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
-
Size
162KB
-
MD5
5a68f149c193715d13a361732f5adaa1
-
SHA1
595acedc67537f8c76f9d7716f2ff0a64a44da77
-
SHA256
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f
-
SHA512
e14ce2baed8aebf651f6fb722bf2913dedd06aeb23555eaf75d4edfc772dd18161257c809903fbfcb2f5515fdd00f33283570b2431a1162151c239dd145a2551
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exejavaj.exepid process 2004 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 288 javaj.exe -
Loads dropped DLL 5 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exepid process 1148 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 1148 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 2004 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 2004 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 1148 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exejavaj.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaj = "C:\\Users\\Admin\\AppData\\Roaming\\usercache\\javaj.exe" 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaj = "C:\\Users\\Admin\\AppData\\Roaming\\usercache\\javaj.exe" javaj.exe -
Drops file in Program Files directory 20 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Drops file in Windows directory 1 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription ioc process File opened for modification C:\Windows\svchost.com 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
javaj.exepid process 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe 288 javaj.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription pid process target process PID 1148 wrote to memory of 2004 1148 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe PID 1148 wrote to memory of 2004 1148 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe PID 1148 wrote to memory of 2004 1148 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe PID 1148 wrote to memory of 2004 1148 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe PID 2004 wrote to memory of 288 2004 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe javaj.exe PID 2004 wrote to memory of 288 2004 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe javaj.exe PID 2004 wrote to memory of 288 2004 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe javaj.exe PID 2004 wrote to memory of 288 2004 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe javaj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"C:\Users\Admin\AppData\Local\Temp\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Roaming\usercache\javaj.exe"C:\Users\Admin\AppData\Roaming\usercache\javaj.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
C:\Users\Admin\AppData\Roaming\bootstrapMD5
a3069c7c56b08b56fdb32d7a4cfc4cce
SHA1635789a8a9b0355e64257014573f39a52283f80e
SHA2560199dea0ac6f6d46a1cbdbbd8757d6c4345a60737950340ad4631fbcb72725d2
SHA512e5c72ce9ab9c3dde83b99f992be54677b38072ccec78cb984695ba05200581331eb16afe680167ca08078cdc44fc04e6abeff6a482bafb719b42ef6c495cb469
-
C:\Users\Admin\AppData\Roaming\usercache\javaj.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
C:\Users\Admin\AppData\Roaming\usercache\javaj.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
\Users\Admin\AppData\Roaming\usercache\javaj.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
\Users\Admin\AppData\Roaming\usercache\javaj.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
memory/1148-55-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB