Overview

overview

10

Static

static

10

838051a068...d3.exe

windows7_x64

10

838051a068...d3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    168s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    03-02-2022 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe

  • Size

    451KB

  • MD5

    6de1e49036e9654914c333f39b17aa15

  • SHA1

    f9647c886e99852ba0ee47fa6ea9b1ac42ce9239

  • SHA256

    838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3

  • SHA512

    9791079dac388ed6225c4b6352dfe2090692359208f74a2950528bd1aba80aa3b6a88b7c882cfc787b8d29d77ca69d44d798075a4674152f350948312abfc054

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Detect Neshta Payload 7 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 5 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
    "C:\Users\Admin\AppData\Local\Temp\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MediaPlayer\register.bat" "
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 -s MediaDecFilter.ax
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3772
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\PROGRA~2\WINDOW~4\wmplayer.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\PROGRA~2\WINDOW~4\wmplayer.exe
            C:\PROGRA~2\WINDOW~4\wmplayer.exe
            5⤵
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3868
            • C:\Windows\svchost.com
              "C:\Windows\svchost.com" "C:\PROGRA~2\WINDOW~4\setup_wm.exe" /RunOnce:C:\PROGRA~2\WINDOW~4\wmplayer.exe
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:648
              • C:\PROGRA~2\WINDOW~4\setup_wm.exe
                C:\PROGRA~2\WINDOW~4\setup_wm.exe /RunOnce:C:\PROGRA~2\WINDOW~4\wmplayer.exe
                7⤵
                  PID:3344
              • C:\Windows\svchost.com
                "C:\Windows\svchost.com" "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious use of WriteProcessMemory
                PID:4064
                • C:\Windows\SysWOW64\unregmp2.exe
                  C:\Windows\System32\unregmp2.exe /AsyncFirstLogon
                  7⤵
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1860
                  • C:\Windows\svchost.com
                    "C:\Windows\svchost.com" "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
                    8⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Suspicious use of WriteProcessMemory
                    PID:1292
                    • C:\Windows\system32\unregmp2.exe
                      C:\Windows\SysNative\unregmp2.exe /AsyncFirstLogon /REENTRANT
                      9⤵
                      • Enumerates connected drives
                      • Suspicious use of AdjustPrivilegeToken
                      PID:692
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:2904
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe b42213a4b716d5ae5f23d945e7d43029 f0H8zsxoHEqpClXQUH6/bg.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3824
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3248

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
      MD5

      22913149a9d766c415c21e613e4e1d1b

      SHA1

      36b33b1ab48615ebe7bd25472d50ba3de56a21c6

      SHA256

      495ac0a638059cb60b2eebf3ac5e8fd17d5fbc7424195308f19e2ffeac3e0ced

      SHA512

      d9e5396bb24e3ad7ba31b45e8e1bfeb74c32895ab3af6544715c5db04da0442fafd82b06c49a920d964cf0a8fac7a58ccef4a173f1a5879c6733748edc180b14

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\DllDeinterlace.dll
      MD5

      734654f3c6b732fad89fcc17f3816df1

      SHA1

      9c01926ebb01b5532d695791d0a93fddb0d19d36

      SHA256

      1616778babe6da0c0ceef10cbc7814a584299aaa01106b18c26f4e1f4da1dd74

      SHA512

      bb903eadfd37adfb4c9c0c19c26382d9b6e37a8cca469695c5b7e859b91c8f211be5f40a2df3d24a8fe9644541e6afbb891bfc08e634242415d5d563f4c97d7a

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\DllDeinterlace.dll
      MD5

      734654f3c6b732fad89fcc17f3816df1

      SHA1

      9c01926ebb01b5532d695791d0a93fddb0d19d36

      SHA256

      1616778babe6da0c0ceef10cbc7814a584299aaa01106b18c26f4e1f4da1dd74

      SHA512

      bb903eadfd37adfb4c9c0c19c26382d9b6e37a8cca469695c5b7e859b91c8f211be5f40a2df3d24a8fe9644541e6afbb891bfc08e634242415d5d563f4c97d7a

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\DllDeinterlace.dll
      MD5

      734654f3c6b732fad89fcc17f3816df1

      SHA1

      9c01926ebb01b5532d695791d0a93fddb0d19d36

      SHA256

      1616778babe6da0c0ceef10cbc7814a584299aaa01106b18c26f4e1f4da1dd74

      SHA512

      bb903eadfd37adfb4c9c0c19c26382d9b6e37a8cca469695c5b7e859b91c8f211be5f40a2df3d24a8fe9644541e6afbb891bfc08e634242415d5d563f4c97d7a

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\H264Play.dll
      MD5

      23843bfeb8843b8d858e47b77b2b3c93

      SHA1

      039d91bd47c2b46c6fb92735ee2c2cacf935b455

      SHA256

      0b1ec662062b3fae588706e82d07932239d04be218fbcb4d2995a1ee83858f00

      SHA512

      448ec6df8a7157a8bb2e7ddcad5ef2cb74f0a713b5889fd1ca7e31bd67380176228da79d43ae2b15c49e5419ca6c0e469d133035d853b51d426d241632a2fa8e

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\H264Play.dll
      MD5

      23843bfeb8843b8d858e47b77b2b3c93

      SHA1

      039d91bd47c2b46c6fb92735ee2c2cacf935b455

      SHA256

      0b1ec662062b3fae588706e82d07932239d04be218fbcb4d2995a1ee83858f00

      SHA512

      448ec6df8a7157a8bb2e7ddcad5ef2cb74f0a713b5889fd1ca7e31bd67380176228da79d43ae2b15c49e5419ca6c0e469d133035d853b51d426d241632a2fa8e

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\H264Play.dll
      MD5

      23843bfeb8843b8d858e47b77b2b3c93

      SHA1

      039d91bd47c2b46c6fb92735ee2c2cacf935b455

      SHA256

      0b1ec662062b3fae588706e82d07932239d04be218fbcb4d2995a1ee83858f00

      SHA512

      448ec6df8a7157a8bb2e7ddcad5ef2cb74f0a713b5889fd1ca7e31bd67380176228da79d43ae2b15c49e5419ca6c0e469d133035d853b51d426d241632a2fa8e

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\MediaDecFilter.ax
      MD5

      d94efc29c0f1af3e92ea638a97aacbfb

      SHA1

      e55082085fe91184a96c97de82918aaed7d4ec50

      SHA256

      576a2f1cd68fe2451f1e72569adcc30763c2f17f2ae36c733fface95947119ac

      SHA512

      5aa5763d80c321f6b75d85d748c96f600fe827a2a9e7b7c2bbc648eeb7981229a5add47b0f16e75ab2952b9ea73ef0c1bf601854b3b671e11f19ee83f373e790

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\MediaDecFilter.ax
      MD5

      d94efc29c0f1af3e92ea638a97aacbfb

      SHA1

      e55082085fe91184a96c97de82918aaed7d4ec50

      SHA256

      576a2f1cd68fe2451f1e72569adcc30763c2f17f2ae36c733fface95947119ac

      SHA512

      5aa5763d80c321f6b75d85d748c96f600fe827a2a9e7b7c2bbc648eeb7981229a5add47b0f16e75ab2952b9ea73ef0c1bf601854b3b671e11f19ee83f373e790

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\StreamReader.dll
      MD5

      309f2be26196ba2b728d11ae02aec796

      SHA1

      e6d2383405c1c5786d32d343834c47fe9e5a73d8

      SHA256

      6460159348372c318b51f8568cff04c92df38c8bb2fcfc447061e6fcfd74b523

      SHA512

      8b88f74ddbae95b1cf3462d440be2d7293d54c40164f85f224219d92bea580fec2e2cad50c993e25ff2a09f2cb41fc28ac2324a6613b1a34d1f45194c2cb3331

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\StreamReader.dll
      MD5

      309f2be26196ba2b728d11ae02aec796

      SHA1

      e6d2383405c1c5786d32d343834c47fe9e5a73d8

      SHA256

      6460159348372c318b51f8568cff04c92df38c8bb2fcfc447061e6fcfd74b523

      SHA512

      8b88f74ddbae95b1cf3462d440be2d7293d54c40164f85f224219d92bea580fec2e2cad50c993e25ff2a09f2cb41fc28ac2324a6613b1a34d1f45194c2cb3331

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\StreamReader.dll
      MD5

      309f2be26196ba2b728d11ae02aec796

      SHA1

      e6d2383405c1c5786d32d343834c47fe9e5a73d8

      SHA256

      6460159348372c318b51f8568cff04c92df38c8bb2fcfc447061e6fcfd74b523

      SHA512

      8b88f74ddbae95b1cf3462d440be2d7293d54c40164f85f224219d92bea580fec2e2cad50c993e25ff2a09f2cb41fc28ac2324a6613b1a34d1f45194c2cb3331

      Download Submit
    • C:\Program Files (x86)\MediaPlayer\register.bat
      MD5

      fe50f67e4428d0cde389bba153956fdd

      SHA1

      0c9d717f4836897d90338e8a2b11b4abda291577

      SHA256

      c062062b37395f135bfcc3881f3d70454bd8b8cecabf5ad678aa6daea482daa7

      SHA512

      9fbe7f3afd8cf775596146513c8c226e23fee5603527f853e47e8eb5ff2d34e6626bec85a94f698c474b2762caad8c0f15d6c7df861b0f1ede5b0e47617d3641

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
      MD5

      09dc7150ded0b6d8ad0568cfb74e9af7

      SHA1

      134e51cd5261c43bdbc5e2a9ed778d10ca3bf844

      SHA256

      62b58074a8939666e2ffa5739ffb1ccd8a195628e56e28d8680a27a2b47109d1

      SHA512

      bd7976417ad2257d117064b89565a5b7e0be64814dc4a9edf680a8f56cd754b14e6200f253619beee1b503bdeccc108c4e5c582dbc448cdc92ec7d7850e38c6c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\838051a06809ce7f19d9de22352a05bab997d238ec6d264afed92407069655d3.exe
      MD5

      09dc7150ded0b6d8ad0568cfb74e9af7

      SHA1

      134e51cd5261c43bdbc5e2a9ed778d10ca3bf844

      SHA256

      62b58074a8939666e2ffa5739ffb1ccd8a195628e56e28d8680a27a2b47109d1

      SHA512

      bd7976417ad2257d117064b89565a5b7e0be64814dc4a9edf680a8f56cd754b14e6200f253619beee1b503bdeccc108c4e5c582dbc448cdc92ec7d7850e38c6c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
      MD5

      10b3c555a03ac080d55aa504cddd01ce

      SHA1

      dc3a7ea601d83853cc210b108b76cfddd9ae0a20

      SHA256

      5e4749598be7dfaad7721315648724bdf49188d4c3a43fea54affe6a6f85d380

      SHA512

      46947cec421ef7a02b3db3deb6acc0c7255df5c71d76d057e16d88dfcd5e2c978d4619807660ba2e56ff89c795d8c55f8b4bbc46a67ae5cc5f4c6f6f3b8c7c89

      Download Submit
    • C:\Windows\directx.sys
      MD5

      e89556a2d7afdcdceb085a26de700ea2

      SHA1

      fbd96dd80eb1be5a417bfbbbb37f63103d705ee4

      SHA256

      b9bb6c239684372215930bf1af37f30b32d7ca73080123442854343a5fe5064f

      SHA512

      a5fabe951ca8d6612017ba5936c5b43af1c81d91c01a3df9900bdd571df843d0be41e7452d727d43c205f48f7c20fdf5faf675fffe3f3611132094cace3c93a0

      Download Submit
    • C:\Windows\directx.sys
      MD5

      7ea5ba0cb61e865c68a86d815d626ad1

      SHA1

      9780234a8d15de4ef01f4545d024077bbbc1d4f0

      SHA256

      44960d7a1554687c2457e6320f47edfc1aeeb3077497b0061fbd1eee6d5612f1

      SHA512

      1fa06e6eaab68b89db2e46450b428b7827dbaa157af8f8aa0b3e1321fc5ebb6a1582027aa4b873a3a67a9690f4928e6a5ca51acfbf5fec07c07819b2c2f8f8cb

      Download Submit
    • C:\Windows\directx.sys
      MD5

      9e5d0d03e9709a2db7d88bb3686e378f

      SHA1

      7a5ff52eb19432d719e617a1d220ea75251a93be

      SHA256

      b78d74237516b31db061e8c459812e477fe33c25f9814e9bd02ef0b98f94a1bb

      SHA512

      14ec511ade72bcc18e97f9a1c98f5e27ac541be9c9b612e9ed5799c0e6e01eb317264e5517dd4c971ac6615f79dafee87b4ee110772073f2ea2b8e496127771d

      Download Submit
    • C:\Windows\svchost.com
      MD5

      bc93f4f527b58419ef42f19db49f64a8

      SHA1

      2650a73b61577cfc0c0d80a7f38103d65388d808

      SHA256

      d146be51818e0e408577879f76b6f4a13cb3cfc135b9cc2a4145cf50f7592830

      SHA512

      4958c8477424c144412b93f7b1242121abd19e1777b276cac1bc3dfe78067cb3d2af24da6c325b2dd5604aa2505d815d0d2811ca788cedb8bccbfbd622ed0e83

      Download Submit
    • C:\Windows\svchost.com
      MD5

      bc93f4f527b58419ef42f19db49f64a8

      SHA1

      2650a73b61577cfc0c0d80a7f38103d65388d808

      SHA256

      d146be51818e0e408577879f76b6f4a13cb3cfc135b9cc2a4145cf50f7592830

      SHA512

      4958c8477424c144412b93f7b1242121abd19e1777b276cac1bc3dfe78067cb3d2af24da6c325b2dd5604aa2505d815d0d2811ca788cedb8bccbfbd622ed0e83

      Download Submit
    • C:\Windows\svchost.com
      MD5

      bc93f4f527b58419ef42f19db49f64a8

      SHA1

      2650a73b61577cfc0c0d80a7f38103d65388d808

      SHA256

      d146be51818e0e408577879f76b6f4a13cb3cfc135b9cc2a4145cf50f7592830

      SHA512

      4958c8477424c144412b93f7b1242121abd19e1777b276cac1bc3dfe78067cb3d2af24da6c325b2dd5604aa2505d815d0d2811ca788cedb8bccbfbd622ed0e83

      Download Submit
    • C:\Windows\svchost.com
      MD5

      bc93f4f527b58419ef42f19db49f64a8

      SHA1

      2650a73b61577cfc0c0d80a7f38103d65388d808

      SHA256

      d146be51818e0e408577879f76b6f4a13cb3cfc135b9cc2a4145cf50f7592830

      SHA512

      4958c8477424c144412b93f7b1242121abd19e1777b276cac1bc3dfe78067cb3d2af24da6c325b2dd5604aa2505d815d0d2811ca788cedb8bccbfbd622ed0e83

      Download Submit
    • C:\Windows\svchost.com
      MD5

      bc93f4f527b58419ef42f19db49f64a8

      SHA1

      2650a73b61577cfc0c0d80a7f38103d65388d808

      SHA256

      d146be51818e0e408577879f76b6f4a13cb3cfc135b9cc2a4145cf50f7592830

      SHA512

      4958c8477424c144412b93f7b1242121abd19e1777b276cac1bc3dfe78067cb3d2af24da6c325b2dd5604aa2505d815d0d2811ca788cedb8bccbfbd622ed0e83

      Download Submit
    • C:\odt\OFFICE~1.EXE
      MD5

      02c3d242fe142b0eabec69211b34bc55

      SHA1

      ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

      SHA256

      2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

      SHA512

      0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

      Download Submit
    • memory/3772-456-0x0000000004220000-0x00000000042C7000-memory.dmp
      Filesize

      668KB

      Download
    • memory/3772-463-0x0000000000B11000-0x0000000000B1F000-memory.dmp
      Filesize

      56KB

      Download