Analysis
-
max time kernel
164s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
22-02-2022 11:34
General
-
Target
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe
-
Size
911KB
-
MD5
00c22062ab8d4bf5afb577c55d3803bb
-
SHA1
1e3bb2c4c9def27a96133d6c9e9770c568ed7d77
-
SHA256
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4
-
SHA512
2980e46559cfa57f1c39d67eb8e231463f96deb6e5d7f1c5cabe974a3daf0c30c90e644639e28e2c805192f3b70963947c2a991d1c4ceacacdbb6a3e2369aaf0
Malware Config
Signatures
-
Detect Neshta Payload 3 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 49 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe"C:\Users\Admin\AppData\Local\Temp\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXEC:\Windows\sysnative\FonDUE.EXE /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exeMD5
fac048edfd55c427134fd2ecad226fae
SHA17960fd65ac355a87881ac25f367b0738bb5672e6
SHA2567d41c7dc5a3e25aedaa25a87f1436af6c4107362ce724c0693a4cbaa5735bdf2
SHA512fd1db15ac7337a9447f07df802e0cbaffa3f6cf052f4c4299a004e579665dd2812fb12c3bfc1d450b8fa1e807116f1a9b567cd60192ba8a8dbd20a8ad4fabcff
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exeMD5
fac048edfd55c427134fd2ecad226fae
SHA17960fd65ac355a87881ac25f367b0738bb5672e6
SHA2567d41c7dc5a3e25aedaa25a87f1436af6c4107362ce724c0693a4cbaa5735bdf2
SHA512fd1db15ac7337a9447f07df802e0cbaffa3f6cf052f4c4299a004e579665dd2812fb12c3bfc1d450b8fa1e807116f1a9b567cd60192ba8a8dbd20a8ad4fabcff
-
C:\Windows\svchost.comMD5
aa962d6ec2961e8b1ba5739ddeb2e4b4
SHA1c5aed4ad464c5720010ef764247a36721048c72f
SHA25660cd79482f561687b17f8e4ab37bd42f69d431f93cd1b8ed4eb913be0e37fdb9
SHA5123085c38208c7c134a7d58846322bbe4c717f9710cf22dd0aadc7402c2943d521637b5b8dfbfe8e01de3052504765544fa542e50dfb9d6989c8f92cdc4a00ecad
-
C:\Windows\svchost.comMD5
aa962d6ec2961e8b1ba5739ddeb2e4b4
SHA1c5aed4ad464c5720010ef764247a36721048c72f
SHA25660cd79482f561687b17f8e4ab37bd42f69d431f93cd1b8ed4eb913be0e37fdb9
SHA5123085c38208c7c134a7d58846322bbe4c717f9710cf22dd0aadc7402c2943d521637b5b8dfbfe8e01de3052504765544fa542e50dfb9d6989c8f92cdc4a00ecad
-
C:\odt\OFFICE~1.EXEMD5
02c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099