Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 16:38
Static task
static1
Behavioral task
behavioral1
Sample
bf4cd2f5d664e2a8d60f411dce8359b6.exe
Resource
win7-20220414-en
General
-
Target
bf4cd2f5d664e2a8d60f411dce8359b6.exe
-
Size
190KB
-
MD5
bf4cd2f5d664e2a8d60f411dce8359b6
-
SHA1
1f6dce3eaef268dc95e1c61bcda025a5f46bc5ef
-
SHA256
57638abb65ee04cbd560abcddb83414f992551282310ed4659c74b0687027092
-
SHA512
437bf91698dbd44fde048bcf0ea8c91c56eea0693e45a79c8079c6e5ecdc61c82ac28190dd767e87e5e047877a345ed1fc3db7a09ca45a03805877bda1396890
Malware Config
Extracted
limerat
bc1quxey9qaznc2p3yjkerld76m3ktpewnh7m5ahpt
-
aes_key
103010
-
antivm
true
-
c2_url
https://agleamoda.000webhostapp.com/link.html
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bf4cd2f5d664e2a8d60f411dce8359b6.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exesystem.exepid process 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe 4424 system.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation bf4cd2f5d664e2a8d60f411dce8359b6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google.com = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google.com\"" bf4cd2f5d664e2a8d60f411dce8359b6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exedescription pid process target process PID 3476 set thread context of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exedescription ioc process File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~4.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE bf4cd2f5d664e2a8d60f411dce8359b6.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe -
Drops file in Windows directory 1 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exedescription ioc process File opened for modification C:\Windows\svchost.com bf4cd2f5d664e2a8d60f411dce8359b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 1 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" bf4cd2f5d664e2a8d60f411dce8359b6.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
system.exepid process 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe 4424 system.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exedw20.exesystem.exedescription pid process Token: SeDebugPrivilege 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe Token: SeBackupPrivilege 1752 dw20.exe Token: SeBackupPrivilege 1752 dw20.exe Token: SeDebugPrivilege 4424 system.exe Token: SeDebugPrivilege 4424 system.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bf4cd2f5d664e2a8d60f411dce8359b6.exebf4cd2f5d664e2a8d60f411dce8359b6.exevbc.exedescription pid process target process PID 4156 wrote to memory of 3476 4156 bf4cd2f5d664e2a8d60f411dce8359b6.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe PID 4156 wrote to memory of 3476 4156 bf4cd2f5d664e2a8d60f411dce8359b6.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe PID 4156 wrote to memory of 3476 4156 bf4cd2f5d664e2a8d60f411dce8359b6.exe bf4cd2f5d664e2a8d60f411dce8359b6.exe PID 3476 wrote to memory of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe PID 3476 wrote to memory of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe PID 3476 wrote to memory of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe PID 3476 wrote to memory of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe PID 3476 wrote to memory of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe PID 3476 wrote to memory of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe PID 3476 wrote to memory of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe PID 3476 wrote to memory of 4972 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe vbc.exe PID 4972 wrote to memory of 1752 4972 vbc.exe dw20.exe PID 4972 wrote to memory of 1752 4972 vbc.exe dw20.exe PID 4972 wrote to memory of 1752 4972 vbc.exe dw20.exe PID 3476 wrote to memory of 4424 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe system.exe PID 3476 wrote to memory of 4424 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe system.exe PID 3476 wrote to memory of 4424 3476 bf4cd2f5d664e2a8d60f411dce8359b6.exe system.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf4cd2f5d664e2a8d60f411dce8359b6.exe"C:\Users\Admin\AppData\Local\Temp\bf4cd2f5d664e2a8d60f411dce8359b6.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\bf4cd2f5d664e2a8d60f411dce8359b6.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\bf4cd2f5d664e2a8d60f411dce8359b6.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7724⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\system.exeC:\Users\Admin\AppData\Local\Temp\system.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\bf4cd2f5d664e2a8d60f411dce8359b6.exeFilesize
150KB
MD5c6f1126376dfd5d16c1641d07234c970
SHA16f6e58134df09013d8068acec596ca7c36a86c8a
SHA256a2f8edbdaac7b9bd39841e74b871486352a1c050b41fad8fb65475dd83464a2a
SHA51271c222d26b08cb37b1ca9f024ead66bdf71e2c21bf1647b9fde83792896f7e4089d092728331c6566cde8b14dcd7ceab8b7c7f714233530cdfbf8b1296d7cf9c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\bf4cd2f5d664e2a8d60f411dce8359b6.exeFilesize
150KB
MD5c6f1126376dfd5d16c1641d07234c970
SHA16f6e58134df09013d8068acec596ca7c36a86c8a
SHA256a2f8edbdaac7b9bd39841e74b871486352a1c050b41fad8fb65475dd83464a2a
SHA51271c222d26b08cb37b1ca9f024ead66bdf71e2c21bf1647b9fde83792896f7e4089d092728331c6566cde8b14dcd7ceab8b7c7f714233530cdfbf8b1296d7cf9c
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
30KB
MD581bd7febd0342d8d8070c4906a560f19
SHA124e82a05b8dd6e7a5283c28c767b816d8940b4bf
SHA256f96683d8cd888d9e1dd0808454ce9bb0198bde761396b40eb58d8a17b41048d1
SHA51293cd1725f1738d1b1632c5f65fc6d8a17f5d25c14524db34cfe0c731947690bf9ca256d262e43275cf65a5400a5266a981796568fde76705c39996005f6af294
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
30KB
MD581bd7febd0342d8d8070c4906a560f19
SHA124e82a05b8dd6e7a5283c28c767b816d8940b4bf
SHA256f96683d8cd888d9e1dd0808454ce9bb0198bde761396b40eb58d8a17b41048d1
SHA51293cd1725f1738d1b1632c5f65fc6d8a17f5d25c14524db34cfe0c731947690bf9ca256d262e43275cf65a5400a5266a981796568fde76705c39996005f6af294
-
memory/1752-136-0x0000000000000000-mapping.dmp
-
memory/3476-130-0x0000000000000000-mapping.dmp
-
memory/3476-133-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/4424-145-0x0000000006540000-0x00000000065D2000-memory.dmpFilesize
584KB
-
memory/4424-143-0x0000000005150000-0x00000000051B6000-memory.dmpFilesize
408KB
-
memory/4424-137-0x0000000000000000-mapping.dmp
-
memory/4424-140-0x0000000000770000-0x000000000077E000-memory.dmpFilesize
56KB
-
memory/4424-141-0x0000000005040000-0x00000000050DC000-memory.dmpFilesize
624KB
-
memory/4424-144-0x0000000005DF0000-0x0000000006394000-memory.dmpFilesize
5.6MB
-
memory/4972-134-0x0000000000000000-mapping.dmp
-
memory/4972-142-0x0000000073A10000-0x0000000073FC1000-memory.dmpFilesize
5.7MB
-
memory/4972-135-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB