Overview

overview

10

Static

static

10

bc85cf5459...74.exe

windows7_x64

10

bc85cf5459...74.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    196s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    06-02-2022 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe

  • Size

    471KB

  • MD5

    6a2ce11c38d1dbe2057ea8ab193450f9

  • SHA1

    2146da22cb07e2c2416a65710517ae8ecd05ece3

  • SHA256

    bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574

  • SHA512

    1cd44daa13f11788e53914ffcf1fc57f14a29c754260b80e061e88fa798665875b41f843a51897c63c979c10a50694f534cdd7e9b15ff46cede84cb17e2e736e

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe
    "C:\Users\Admin\AppData\Local\Temp\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\3582-490\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe"
      2⤵
      • Executes dropped EXE
      PID:1908
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4216

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe
    MD5

    023028e675b8efbfaed53720026376a0

    SHA1

    12cdff8591d6fa09f3d7f6a6b134c4261974ea0d

    SHA256

    d76a2c33c7e4beccececfdd574c1a80500efd6672f8fa79d994b58ea04d145f9

    SHA512

    141fd47a381dcded22837805f3ed29bd086c5d1a88b4ca863eba012a5e8d40949d112b71fad71e096fa6455bf5837724145e4ca09ac2946c98e6ae4847133cab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe
    MD5

    023028e675b8efbfaed53720026376a0

    SHA1

    12cdff8591d6fa09f3d7f6a6b134c4261974ea0d

    SHA256

    d76a2c33c7e4beccececfdd574c1a80500efd6672f8fa79d994b58ea04d145f9

    SHA512

    141fd47a381dcded22837805f3ed29bd086c5d1a88b4ca863eba012a5e8d40949d112b71fad71e096fa6455bf5837724145e4ca09ac2946c98e6ae4847133cab

    Download Submit
  • memory/4216-144-0x0000017056430000-0x0000017056434000-memory.dmp
    Filesize

    16KB

    Download