Analysis
-
max time kernel
164s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
22-02-2022 11:34
Static task
static1
Behavioral task
behavioral1
Sample
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe
Resource
win10v2004-en-20220112
General
-
Target
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe
-
Size
911KB
-
MD5
00c22062ab8d4bf5afb577c55d3803bb
-
SHA1
1e3bb2c4c9def27a96133d6c9e9770c568ed7d77
-
SHA256
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4
-
SHA512
2980e46559cfa57f1c39d67eb8e231463f96deb6e5d7f1c5cabe974a3daf0c30c90e644639e28e2c805192f3b70963947c2a991d1c4ceacacdbb6a3e2369aaf0
Malware Config
Signatures
-
Detect Neshta Payload 3 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe MailPassView C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exesvchost.compid process 2144 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe 3308 svchost.com -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe -
Drops file in Windows directory 5 IoCs
Processes:
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exesvchost.comTiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\svchost.com 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.882333" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132901798018847177" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.296839" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4168" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe -
Modifies registry class 2 IoCs
Processes:
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exefondue.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings fondue.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 2680 TiWorker.exe Token: SeRestorePrivilege 2680 TiWorker.exe Token: SeBackupPrivilege 2680 TiWorker.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exefondue.exesvchost.comdescription pid process target process PID 1100 wrote to memory of 2144 1100 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe PID 1100 wrote to memory of 2144 1100 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe PID 1100 wrote to memory of 2144 1100 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe PID 2144 wrote to memory of 2908 2144 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe fondue.exe PID 2144 wrote to memory of 2908 2144 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe fondue.exe PID 2144 wrote to memory of 2908 2144 2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe fondue.exe PID 2908 wrote to memory of 3308 2908 fondue.exe svchost.com PID 2908 wrote to memory of 3308 2908 fondue.exe svchost.com PID 2908 wrote to memory of 3308 2908 fondue.exe svchost.com PID 3308 wrote to memory of 1736 3308 svchost.com FonDUE.EXE PID 3308 wrote to memory of 1736 3308 svchost.com FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe"C:\Users\Admin\AppData\Local\Temp\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\system32\FonDUE.EXEC:\Windows\sysnative\FonDUE.EXE /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵PID:1736
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exeMD5
fac048edfd55c427134fd2ecad226fae
SHA17960fd65ac355a87881ac25f367b0738bb5672e6
SHA2567d41c7dc5a3e25aedaa25a87f1436af6c4107362ce724c0693a4cbaa5735bdf2
SHA512fd1db15ac7337a9447f07df802e0cbaffa3f6cf052f4c4299a004e579665dd2812fb12c3bfc1d450b8fa1e807116f1a9b567cd60192ba8a8dbd20a8ad4fabcff
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2283eba55b722639287a446420f65f0161bb89b10d27136281b57381384e5ce4.exeMD5
fac048edfd55c427134fd2ecad226fae
SHA17960fd65ac355a87881ac25f367b0738bb5672e6
SHA2567d41c7dc5a3e25aedaa25a87f1436af6c4107362ce724c0693a4cbaa5735bdf2
SHA512fd1db15ac7337a9447f07df802e0cbaffa3f6cf052f4c4299a004e579665dd2812fb12c3bfc1d450b8fa1e807116f1a9b567cd60192ba8a8dbd20a8ad4fabcff
-
C:\Windows\svchost.comMD5
aa962d6ec2961e8b1ba5739ddeb2e4b4
SHA1c5aed4ad464c5720010ef764247a36721048c72f
SHA25660cd79482f561687b17f8e4ab37bd42f69d431f93cd1b8ed4eb913be0e37fdb9
SHA5123085c38208c7c134a7d58846322bbe4c717f9710cf22dd0aadc7402c2943d521637b5b8dfbfe8e01de3052504765544fa542e50dfb9d6989c8f92cdc4a00ecad
-
C:\Windows\svchost.comMD5
aa962d6ec2961e8b1ba5739ddeb2e4b4
SHA1c5aed4ad464c5720010ef764247a36721048c72f
SHA25660cd79482f561687b17f8e4ab37bd42f69d431f93cd1b8ed4eb913be0e37fdb9
SHA5123085c38208c7c134a7d58846322bbe4c717f9710cf22dd0aadc7402c2943d521637b5b8dfbfe8e01de3052504765544fa542e50dfb9d6989c8f92cdc4a00ecad
-
C:\odt\OFFICE~1.EXEMD5
02c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099