Overview

overview

10

Static

static

10

af102c104f...9d.exe

windows7_x64

10

af102c104f...9d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-03-2022 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe

  • Size

    133KB

  • MD5

    65a875267a495f0b3f54b4155b23ac01

  • SHA1

    0c1ce34b1e4c24bfd410c224d86cf3edcfb3a258

  • SHA256

    af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d

  • SHA512

    eb481ecdfde628b7fd1f8e9fa1312b771b8093d310d6432960e4c158f47a7f409dcc91ae2a158c263b1e0eeaf09fc2e0b00d3ff3ba40672b088c6a98539f39b6

Score
10/10
dharmaneshtapersistenceransomwarespyware

Malware Config

Signatures

  • Detect Neshta Payload 1 IoCs
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
    "C:\Users\Admin\AppData\Local\Temp\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          4⤵
            PID:976
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:2160
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
      MD5

      bd3b686c6f9ef32f14dbfa7d5abed9ff

      SHA1

      a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

      SHA256

      1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

      SHA512

      8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\af102c104f53ddcb2b92a53596330646070fd5335190c28b36015beb3eb1e09d.exe
      MD5

      bd3b686c6f9ef32f14dbfa7d5abed9ff

      SHA1

      a21e4f2fac9379bcc66f62375c9f2b70ae3b09e0

      SHA256

      1f9858eefa4438d1fd624892d7d923f79c5d980bc1f13db764e5996c10ab2991

      SHA512

      8568a619a8a88b4db903070baaded0d10de7b0f2e8949e769276c2c757380dd21a09084c03b49bb92c624b938a16b035e6123add9941c845b5bcefc353cc8add

      Download Submit

    • C:\odt\office2016setup.exe
      MD5

      43f3c7a6179e4a4a996d52f9848df388

      SHA1

      c14d3d4b4b6305d8dd7b04d89ffca4721f385c73

      SHA256

      1f7057caa05a6482d66b2c92d296aaec25281108d629ceef415cc9d7e39d1076

      SHA512

      6d1db0b64750e3e3f8a1818887d69736ac592a8812b6ce9ce1e90adc6643e13ced6dd5987d4d0006dffab83ff8ea3340be22f585341b200a69d0984c38ed9b58

      Download Submit