Analysis
-
max time kernel
156s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-02-2022 05:36
Static task
static1
Behavioral task
behavioral1
Sample
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe
Resource
win10v2004-en-20220112
General
-
Target
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe
-
Size
1.4MB
-
MD5
486e87262193316e8b12caa26e2c0fb7
-
SHA1
1d5687dec2039d0d127ea34611bdc6ec8efbc099
-
SHA256
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188
-
SHA512
7456b64eccf71486d5d4f8943bc25c3f6169ab1ce4b43c24716e25345e15d69e86c50d9c1bc149227a504aa10be7a9c8aefbf69aa793b57614fdf4590d45e39e
Malware Config
Signatures
-
Detect Neshta Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1376-60-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Drops file in Windows directory 1 IoCs
Processes:
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exedescription ioc process File opened for modification C:\Windows\svchost.com 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exepid process 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exedescription pid process target process PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe PID 780 wrote to memory of 1376 780 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe 32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe"C:\Users\Admin\AppData\Local\Temp\32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe"C:\Users\Admin\AppData\Local\Temp\32f84aa8001735c4f774e65ad2afac74733e3a5e6ba54bb36603d8cb8e9ce188.exe"2⤵
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
PID:1376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-57-0x0000000000240000-0x0000000000246000-memory.dmpFilesize
24KB
-
memory/780-58-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB
-
memory/1376-60-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1376-61-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB