Analysis
-
max time kernel
154s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 06:56
Static task
static1
Behavioral task
behavioral1
Sample
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe
Resource
win10v2004-en-20220113
General
-
Target
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe
-
Size
105KB
-
MD5
467cceb1ab90bf50dc35f65dc513a483
-
SHA1
907c7792120b5aee6970b4b13747a729fbd59f7d
-
SHA256
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718
-
SHA512
e85f314c33cb521ea3dabec4b2fcfde61a5bab2e5b06a2eb0268f0c35c510318a6510dd77bc2bfa11b7350533adf659895a440ee1496d335843dfad712121f1c
Malware Config
Extracted
C:\0_HELP_DECRYPT_FILE.html
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exepid process 760 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnblockWait.png => C:\Users\Admin\Pictures\UnblockWait.png.lock 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File renamed C:\Users\Admin\Pictures\ConfirmCompress.png => C:\Users\Admin\Pictures\ConfirmCompress.png.lock 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Pictures\GrantRemove.tiff 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File renamed C:\Users\Admin\Pictures\GrantRemove.tiff => C:\Users\Admin\Pictures\GrantRemove.tiff.lock 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File renamed C:\Users\Admin\Pictures\MeasureUnregister.png => C:\Users\Admin\Pictures\MeasureUnregister.png.lock 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Loads dropped DLL 3 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exepid process 1652 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe 1652 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe 1652 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 26 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exedescription ioc process File opened for modification C:\Users\Admin\Contacts\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Documents\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Videos\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Music\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Music\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Links\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Drops file in Program Files directory 25 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Drops file in Windows directory 1 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exedescription ioc process File opened for modification C:\Windows\svchost.com 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exepid process 760 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exedescription pid process target process PID 1652 wrote to memory of 760 1652 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe PID 1652 wrote to memory of 760 1652 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe PID 1652 wrote to memory of 760 1652 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe PID 1652 wrote to memory of 760 1652 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe 53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe"C:\Users\Admin\AppData\Local\Temp\53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\3582-490\53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
PID:760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exeMD5
694034feb1457fc087fcf8bfdbbeb1a5
SHA1c2732292c3d8b9e39b5e09e2fa0c07a9523201db
SHA256a65f644e5b9be65233b0e826ad5f8ecfd0f084c656a667c91fd7405dd98b5c48
SHA5123ea14a798cc7714e354c7ab0cbe690f58a21b3c086a16593a3a6d2a079bce1b7d74fdaf270037b3cb4af50024998491111c376ad0f372fe872dbb0f6ece8b428
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exeMD5
694034feb1457fc087fcf8bfdbbeb1a5
SHA1c2732292c3d8b9e39b5e09e2fa0c07a9523201db
SHA256a65f644e5b9be65233b0e826ad5f8ecfd0f084c656a667c91fd7405dd98b5c48
SHA5123ea14a798cc7714e354c7ab0cbe690f58a21b3c086a16593a3a6d2a079bce1b7d74fdaf270037b3cb4af50024998491111c376ad0f372fe872dbb0f6ece8b428
-
\Users\Admin\AppData\Local\Temp\3582-490\53c444745c8fb794e800f8634af9986c6e0e4b025d760950409bb823a461d718.exeMD5
694034feb1457fc087fcf8bfdbbeb1a5
SHA1c2732292c3d8b9e39b5e09e2fa0c07a9523201db
SHA256a65f644e5b9be65233b0e826ad5f8ecfd0f084c656a667c91fd7405dd98b5c48
SHA5123ea14a798cc7714e354c7ab0cbe690f58a21b3c086a16593a3a6d2a079bce1b7d74fdaf270037b3cb4af50024998491111c376ad0f372fe872dbb0f6ece8b428
-
memory/1652-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmpFilesize
8KB