Analysis
-
max time kernel
196s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-02-2022 09:00
Static task
static1
Behavioral task
behavioral1
Sample
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe
Resource
win10v2004-en-20220113
General
-
Target
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe
-
Size
471KB
-
MD5
6a2ce11c38d1dbe2057ea8ab193450f9
-
SHA1
2146da22cb07e2c2416a65710517ae8ecd05ece3
-
SHA256
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574
-
SHA512
1cd44daa13f11788e53914ffcf1fc57f14a29c754260b80e061e88fa798665875b41f843a51897c63c979c10a50694f534cdd7e9b15ff46cede84cb17e2e736e
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exepid process 1908 bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe -
Drops file in Windows directory 7 IoCs
Processes:
svchost.exebc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\svchost.com bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 4216 svchost.exe Token: SeCreatePagefilePrivilege 4216 svchost.exe Token: SeShutdownPrivilege 4216 svchost.exe Token: SeCreatePagefilePrivilege 4216 svchost.exe Token: SeShutdownPrivilege 4216 svchost.exe Token: SeCreatePagefilePrivilege 4216 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exedescription pid process target process PID 4836 wrote to memory of 1908 4836 bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe PID 4836 wrote to memory of 1908 4836 bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe PID 4836 wrote to memory of 1908 4836 bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe"C:\Users\Admin\AppData\Local\Temp\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\3582-490\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exe"2⤵
- Executes dropped EXE
PID:1908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exeMD5
023028e675b8efbfaed53720026376a0
SHA112cdff8591d6fa09f3d7f6a6b134c4261974ea0d
SHA256d76a2c33c7e4beccececfdd574c1a80500efd6672f8fa79d994b58ea04d145f9
SHA512141fd47a381dcded22837805f3ed29bd086c5d1a88b4ca863eba012a5e8d40949d112b71fad71e096fa6455bf5837724145e4ca09ac2946c98e6ae4847133cab
-
C:\Users\Admin\AppData\Local\Temp\3582-490\bc85cf54592e1aaed718075fc8216a114f3848ce1eef5da6b40de761a3a32574.exeMD5
023028e675b8efbfaed53720026376a0
SHA112cdff8591d6fa09f3d7f6a6b134c4261974ea0d
SHA256d76a2c33c7e4beccececfdd574c1a80500efd6672f8fa79d994b58ea04d145f9
SHA512141fd47a381dcded22837805f3ed29bd086c5d1a88b4ca863eba012a5e8d40949d112b71fad71e096fa6455bf5837724145e4ca09ac2946c98e6ae4847133cab
-
memory/4216-144-0x0000017056430000-0x0000017056434000-memory.dmpFilesize
16KB