Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
23-02-2022 12:30
Static task
static1
Behavioral task
behavioral1
Sample
ExpServer.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ExpServer.exe
Resource
win10v2004-en-20220113
General
-
Target
ExpServer.exe
-
Size
184KB
-
MD5
f201c71f9389d996a80ce65a17353cbb
-
SHA1
ba660d35e0e7f9e0ab84cdb6d869463c5bc77c19
-
SHA256
5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce
-
SHA512
4c86519951c1d39d0ce7c1a1bb1738704ba8957dc1b989e50e5c411676bf12d6284fd7bbf8789a13adc1d20f642e313d4a4071c08113a61edc6ccd93a058111b
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
ExpServer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ExpServer.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
ExpServer.exepid process 3904 ExpServer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ExpServer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation ExpServer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
ExpServer.exeExpServer.exedescription ioc process File created C:\Program Files (x86)\Arrange\Null.jpg ExpServer.exe File opened for modification C:\Program Files (x86)\Arrange\Null.jpg ExpServer.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\COOKIE~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~2.EXE ExpServer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe ExpServer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe ExpServer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE ExpServer.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe ExpServer.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE ExpServer.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe ExpServer.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\BHO\IE_TO_~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\IDENTI~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\msedge.exe ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~3.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe ExpServer.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE ExpServer.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe ExpServer.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe ExpServer.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE ExpServer.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE ExpServer.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe ExpServer.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe ExpServer.exe -
Drops file in Windows directory 1 IoCs
Processes:
ExpServer.exedescription ioc process File opened for modification C:\Windows\svchost.com ExpServer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
ExpServer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ExpServer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ExpServer.exedescription pid process target process PID 1828 wrote to memory of 3904 1828 ExpServer.exe ExpServer.exe PID 1828 wrote to memory of 3904 1828 ExpServer.exe ExpServer.exe PID 1828 wrote to memory of 3904 1828 ExpServer.exe ExpServer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ExpServer.exe"C:\Users\Admin\AppData\Local\Temp\ExpServer.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\3582-490\ExpServer.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\ExpServer.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\ExpServer.exeMD5
6c7a8e07ee50716bcac297032deb547e
SHA16b67b48969e1e083ac1f9ea74a1ff5fc9c6497a4
SHA2563afc44005a08136d9385313daf6fb3e1207661f59e9bdb36621d7a3c7bc35439
SHA512bb82f0c4aebcd8cc3db6115f935cb5d902509ea746bd868b522f39637c05a680dcd031a5dd122bcd866a5297727095fc56532df2a43d5c746d4c535992fa6597
-
C:\Users\Admin\AppData\Local\Temp\3582-490\ExpServer.exeMD5
6c7a8e07ee50716bcac297032deb547e
SHA16b67b48969e1e083ac1f9ea74a1ff5fc9c6497a4
SHA2563afc44005a08136d9385313daf6fb3e1207661f59e9bdb36621d7a3c7bc35439
SHA512bb82f0c4aebcd8cc3db6115f935cb5d902509ea746bd868b522f39637c05a680dcd031a5dd122bcd866a5297727095fc56532df2a43d5c746d4c535992fa6597
-
memory/3904-132-0x0000000010000000-0x000000001000C000-memory.dmpFilesize
48KB