Analysis
-
max time kernel
171s -
max time network
180s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 18:07
Static task
static1
Behavioral task
behavioral1
Sample
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
Resource
win10-en-20211208
General
-
Target
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
-
Size
162KB
-
MD5
5a68f149c193715d13a361732f5adaa1
-
SHA1
595acedc67537f8c76f9d7716f2ff0a64a44da77
-
SHA256
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f
-
SHA512
e14ce2baed8aebf651f6fb722bf2913dedd06aeb23555eaf75d4edfc772dd18161257c809903fbfcb2f5515fdd00f33283570b2431a1162151c239dd145a2551
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exejavaj.exepid process 2008 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 576 javaj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exejavaj.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaj = "C:\\Users\\Admin\\AppData\\Roaming\\usercache\\javaj.exe" 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaj = "C:\\Users\\Admin\\AppData\\Roaming\\usercache\\javaj.exe" javaj.exe -
Drops file in Program Files directory 53 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription ioc process File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Drops file in Windows directory 1 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription ioc process File opened for modification C:\Windows\svchost.com 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
javaj.exepid process 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe 576 javaj.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exedescription pid process target process PID 3596 wrote to memory of 2008 3596 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe PID 3596 wrote to memory of 2008 3596 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe PID 3596 wrote to memory of 2008 3596 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe PID 2008 wrote to memory of 576 2008 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe javaj.exe PID 2008 wrote to memory of 576 2008 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe javaj.exe PID 2008 wrote to memory of 576 2008 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe javaj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"C:\Users\Admin\AppData\Local\Temp\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Roaming\usercache\javaj.exe"C:\Users\Admin\AppData\Roaming\usercache\javaj.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
C:\Users\Admin\AppData\Roaming\bootstrapMD5
a3069c7c56b08b56fdb32d7a4cfc4cce
SHA1635789a8a9b0355e64257014573f39a52283f80e
SHA2560199dea0ac6f6d46a1cbdbbd8757d6c4345a60737950340ad4631fbcb72725d2
SHA512e5c72ce9ab9c3dde83b99f992be54677b38072ccec78cb984695ba05200581331eb16afe680167ca08078cdc44fc04e6abeff6a482bafb719b42ef6c495cb469
-
C:\Users\Admin\AppData\Roaming\usercache\javaj.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7
-
C:\Users\Admin\AppData\Roaming\usercache\javaj.exeMD5
5a97d62dc84ede64846ea4f3ad4d2f93
SHA1a2c43e386b639fda382a954d10867439289fb235
SHA256337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a
SHA512a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7