Analysis
-
max time kernel
163s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
22-02-2022 20:04
Static task
static1
Behavioral task
behavioral1
Sample
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe
Resource
win10v2004-en-20220112
General
-
Target
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe
-
Size
149KB
-
MD5
67db7e935f91f3067660fbdc6158d3fe
-
SHA1
17dbd1bc94eeb0810e663051fdc64bd3b8e68754
-
SHA256
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d
-
SHA512
1adc63846fea4f139ff043ee3e2b69227c2ed88a180be69e6e071e0d8671fbfb4454c3b40257f9fa595dca5f949343ef01394d9d0cd4565eb699347dc7d81ce2
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exepid process 3660 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe -
Drops file in Windows directory 1 IoCs
Processes:
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exedescription ioc process File opened for modification C:\Windows\svchost.com 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exepid process 3660 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exedescription pid process target process PID 3940 wrote to memory of 3660 3940 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe PID 3940 wrote to memory of 3660 3940 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe PID 3940 wrote to memory of 3660 3940 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe 0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe"C:\Users\Admin\AppData\Local\Temp\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exeMD5
29353713d24c45d38396836f9ba47a2f
SHA19768a721303375a51284283a0680632dfa60c45e
SHA256f42e55c997e14593eaa8a702a04a7a477b7f56cb151db288a9aee3c7b7dc708b
SHA5122111be61fd371f1669d02d94099279b131533b64e4ee8055a0694344ec6fbd4551e02bc7b22f2359d519f08e014c1d648efcdb878fafca208355ae1104a8837b