Overview

overview

10

Static

static

10

0d3981bfa3...3d.exe

windows7_x64

10

0d3981bfa3...3d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    22-02-2022 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe

  • Size

    149KB

  • MD5

    67db7e935f91f3067660fbdc6158d3fe

  • SHA1

    17dbd1bc94eeb0810e663051fdc64bd3b8e68754

  • SHA256

    0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d

  • SHA512

    1adc63846fea4f139ff043ee3e2b69227c2ed88a180be69e6e071e0d8671fbfb4454c3b40257f9fa595dca5f949343ef01394d9d0cd4565eb699347dc7d81ce2

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe
    "C:\Users\Admin\AppData\Local\Temp\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Users\Admin\AppData\Local\Temp\3582-490\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\0d3981bfa3e29cec43a2677b5c5d319e046f8cac34b221db3d18da2fe6461b3d.exe
    MD5

    29353713d24c45d38396836f9ba47a2f

    SHA1

    9768a721303375a51284283a0680632dfa60c45e

    SHA256

    f42e55c997e14593eaa8a702a04a7a477b7f56cb151db288a9aee3c7b7dc708b

    SHA512

    2111be61fd371f1669d02d94099279b131533b64e4ee8055a0694344ec6fbd4551e02bc7b22f2359d519f08e014c1d648efcdb878fafca208355ae1104a8837b

    Download Submit