Analysis
-
max time kernel
156s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-02-2022 10:21
Static task
static1
Behavioral task
behavioral1
Sample
YOUR NEFT PAY.exe
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
YOUR NEFT PAY.exe
Resource
win10v2004-en-20220113
0 signatures
0 seconds
General
-
Target
YOUR NEFT PAY.exe
-
Size
1.3MB
-
MD5
f25c22f38bb732e20c691cba2cdccf84
-
SHA1
22e4e3d56dfab31dc3e74880090c7615313527d5
-
SHA256
447574ed06b4e8cb0e9a379b09954355e5e7cc70d48083b52b7ec572bd07c0e2
-
SHA512
3ece4008151eb32967b238bd316cfc5d93dfd7aa87c85f4f6fadf5867c8de7d13fcdaacfb2b0947e59e37d86705c58a76b9ff4108e0540066ab450bab558ed72
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid Process Token: SeShutdownPrivilege 2220 svchost.exe Token: SeCreatePagefilePrivilege 2220 svchost.exe Token: SeShutdownPrivilege 2220 svchost.exe Token: SeCreatePagefilePrivilege 2220 svchost.exe Token: SeShutdownPrivilege 2220 svchost.exe Token: SeCreatePagefilePrivilege 2220 svchost.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe Token: SeRestorePrivilege 4244 TiWorker.exe Token: SeSecurityPrivilege 4244 TiWorker.exe Token: SeBackupPrivilege 4244 TiWorker.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
YOUR NEFT PAY.exepid Process 4976 YOUR NEFT PAY.exe 4976 YOUR NEFT PAY.exe 4976 YOUR NEFT PAY.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
YOUR NEFT PAY.exedescription pid Process procid_target PID 4976 wrote to memory of 4948 4976 YOUR NEFT PAY.exe 85 PID 4976 wrote to memory of 4948 4976 YOUR NEFT PAY.exe 85 PID 4976 wrote to memory of 4948 4976 YOUR NEFT PAY.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\YOUR NEFT PAY.exe"C:\Users\Admin\AppData\Local\Temp\YOUR NEFT PAY.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\2⤵PID:4948
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4244