Analysis
-
max time kernel
193s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 16:41
Static task
static1
Behavioral task
behavioral1
Sample
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
Resource
win10v2004-en-20220113
General
-
Target
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
-
Size
130KB
-
MD5
a38d20580f01d0b556a8e8a466d9e693
-
SHA1
049fe5ec1aeb8b17c28de14c03e10b7509e8f161
-
SHA256
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6
-
SHA512
c4390b78b2010a336ee8f75c59ef9e8f664009747798642c17ac7bd4f72fc030bc485e530c410372780f8e941e4ee6b317d6b45b8c5235b545c240281bbe54e3
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exepid process 2068 c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe -
Drops file in Program Files directory 16 IoCs
Processes:
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe -
Drops file in Windows directory 7 IoCs
Processes:
svchost.exec259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\svchost.com c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 4380 svchost.exe Token: SeCreatePagefilePrivilege 4380 svchost.exe Token: SeShutdownPrivilege 4380 svchost.exe Token: SeCreatePagefilePrivilege 4380 svchost.exe Token: SeShutdownPrivilege 4380 svchost.exe Token: SeCreatePagefilePrivilege 4380 svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exec259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.execmd.exedescription pid process target process PID 4292 wrote to memory of 2068 4292 c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe PID 4292 wrote to memory of 2068 4292 c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe PID 4292 wrote to memory of 2068 4292 c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe PID 2068 wrote to memory of 4200 2068 c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe cmd.exe PID 2068 wrote to memory of 4200 2068 c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe cmd.exe PID 4200 wrote to memory of 4180 4200 cmd.exe mode.com PID 4200 wrote to memory of 4180 4200 cmd.exe mode.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe"C:\Users\Admin\AppData\Local\Temp\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\89E9.tmp\89EA.bat C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\system32\mode.commode con cols=70 lines=254⤵PID:4180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exeMD5
4b0cd05799ddbaf3472af06886058be9
SHA105e45158256dc0200eaf86ca61ac49a50499788d
SHA2567150ebc1661db2d431ab7a11e6bfee9cf81ad6626f1a6a943143c7117f8a8d75
SHA5126f322fc8d2cbadee9a9a294498e95fa5042c0db33151c434bb78076ff160a213772ad72b0a5a832c3f5bd06765a3a652a984022f5c906a63e0210cd65bd1b84d
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exeMD5
4b0cd05799ddbaf3472af06886058be9
SHA105e45158256dc0200eaf86ca61ac49a50499788d
SHA2567150ebc1661db2d431ab7a11e6bfee9cf81ad6626f1a6a943143c7117f8a8d75
SHA5126f322fc8d2cbadee9a9a294498e95fa5042c0db33151c434bb78076ff160a213772ad72b0a5a832c3f5bd06765a3a652a984022f5c906a63e0210cd65bd1b84d
-
C:\Users\Admin\AppData\Local\Temp\89E9.tmp\89EA.batMD5
f0d9b143a0365b6e17b482c97e2f4781
SHA1ce29368fda40f9a496878171440c88e25487ec28
SHA256b093c2635c7d5ad1aa6e76f973bc8cc611098972c334d48d27f03073787de884
SHA51271176e2e73112aec294e4bdf3fb9517060176cc07d11c43e169dff9b2840dc54390a4c95d96b5e439e74071ec5c5dd4f2c86e82007bda16d6ffffd5cc69ea11a
-
memory/4380-133-0x000001DC4D3A0000-0x000001DC4D3B0000-memory.dmpFilesize
64KB
-
memory/4380-134-0x000001DC4DA20000-0x000001DC4DA30000-memory.dmpFilesize
64KB
-
memory/4380-135-0x000001DC50120000-0x000001DC50124000-memory.dmpFilesize
16KB