Analysis
-
max time kernel
33s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 23:24
Static task
static1
Behavioral task
behavioral1
Sample
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe
Resource
win10v2004-20220414-en
General
-
Target
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe
-
Size
1.5MB
-
MD5
88cb0a3e0961da86c65a2905b7172cb0
-
SHA1
fbf5141f6f859dc807e08f3c326c6bbdc955c498
-
SHA256
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d
-
SHA512
5643761e089845eda5c82d37002153cd5825ad1b54745f80bf194e9a2192ed70b921a30e71fbef0c03a985245536ab186ff6927339c838cb9f7ed47132d5a574
Malware Config
Signatures
-
Detect Neshta Payload 5 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exepid process 5104 c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exedescription ioc process File created C:\Windows\assembly\Desktop.ini c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\Windows\assembly\Desktop.ini c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Drops file in Program Files directory 9 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Drops file in Windows directory 4 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exec0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exedescription ioc process File opened for modification C:\Windows\svchost.com c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\Windows\assembly c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File created C:\Windows\assembly\Desktop.ini c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe File opened for modification C:\Windows\assembly\Desktop.ini c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exepid process 5104 c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe 5104 c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe 5104 c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exedescription pid process Token: SeDebugPrivilege 5104 c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exedescription pid process target process PID 3848 wrote to memory of 5104 3848 c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe PID 3848 wrote to memory of 5104 3848 c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe PID 3848 wrote to memory of 5104 3848 c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe"C:\Users\Admin\AppData\Local\Temp\c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\C07050~1.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\C07050~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\C07050~1.EXE1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEFilesize
92KB
MD53f953531576e8f253d79543e37b6ab5e
SHA1e8decff7e2d9b38caada8e2e8487f03f76cc8c22
SHA256e39066477ac5ca99358810968be354652455e92b7a9d551d2fa2ac097a399b92
SHA512d6b200f49cce5537c7a86affd59b1a58376e00de1c2951c68a958f1e7c988fef37618b8c756f245f8e77ccd0e262dc3848de777b3bcaa660b8f5993fca72f67b
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exeFilesize
92KB
MD58c90650a77dcb2614ac22e2538f47a2f
SHA1400c02cb8697afc440097621b507d9be029e4e7b
SHA256cc3ba0bf9f168b0229b0919c59c80b77d38088a975751b7adefb099d4b50c9da
SHA5125422313aae5c7429543de9ebd009f2d41e6f9873345b32524d1f725fa1ac4fa13b8640e8da9cd0fa617f4fed9680b331660d0299e1ded8c9ecc1362e0d3b0b1d
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe
-
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
-
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
-
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
-
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
-
C:\PROGRA~2\Google\Update\DISABL~1.EXE
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
-
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
-
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
-
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe
-
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
-
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
-
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
-
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exeFilesize
1.4MB
MD5cb04dde111c3d72ac33d17d8299903c0
SHA1160c7f889faaae45a5d677c047b8bab22745629b
SHA2569f150e533ccfdb4c91358c34b9a209480b61b44bceed74a03474382925057fec
SHA5122285f0ac15e48503ff22333c8899f5bea492e3b56a5d0717b85161689ad1766da91fb29c933652a29a5c41b50760ed9fa9be83a5a4d581e966a1d539b7825079
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exeFilesize
1.4MB
MD5cb04dde111c3d72ac33d17d8299903c0
SHA1160c7f889faaae45a5d677c047b8bab22745629b
SHA2569f150e533ccfdb4c91358c34b9a209480b61b44bceed74a03474382925057fec
SHA5122285f0ac15e48503ff22333c8899f5bea492e3b56a5d0717b85161689ad1766da91fb29c933652a29a5c41b50760ed9fa9be83a5a4d581e966a1d539b7825079
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c0705041b495ccbaff8a486d43a1773cc1311154ff92b8fb45ae66eec8ad575d.exeFilesize
91KB
MD5835250222c80805e4596dff0361d43a0
SHA138655b0343dae69e0d3d9e362b6473fae920227d
SHA256dabc16f05b135fe5a3fff4b595014616bac4f331c973967aa59b49917e483213
SHA5123a47682c975d39d3efb1f2b1e7dd2a7a371a39b84c409f80d81f3ec72bad9f2158f8bfb3defb84f1d319b37cba58271d302785fff9d2c48dd509652dccaaa706
-
C:\Windows\svchost.comFilesize
40KB
MD53ad4bc3117aaace548899789ed0b9179
SHA1976a44bfbce79829a6e14515736e5e04eab63620
SHA256610603b35231313ff56e112ce5a4df77f68c8109eb8c52540120ccf765a18eee
SHA5122521326bc4a3564ad609ddca5e44c3ffc89bcfd1c603c945b18bcb491aa248c354be8cde2f7e8519b9d64a985c3339f34fe1f8d57b56b091b0222b019131366c
-
C:\Windows\svchost.comFilesize
40KB
MD53ad4bc3117aaace548899789ed0b9179
SHA1976a44bfbce79829a6e14515736e5e04eab63620
SHA256610603b35231313ff56e112ce5a4df77f68c8109eb8c52540120ccf765a18eee
SHA5122521326bc4a3564ad609ddca5e44c3ffc89bcfd1c603c945b18bcb491aa248c354be8cde2f7e8519b9d64a985c3339f34fe1f8d57b56b091b0222b019131366c
-
C:\odt\OFFICE~1.EXEFilesize
92KB
MD570ed8c29c9a38da29547ae6d19387fd5
SHA1f1aec8aedd5043d1b4de8659445e2e18a6e79fb9
SHA256bea7a8f6e8034bb53e9c207df98f65ab041c737084501616dc060bfd19ab701f
SHA5121f70490e779debb127e5be53a77c1803ebb812f675b5b8246d83c80c71f0ca895582ad0c17f11e86e26f5deea3bd97bf542a0fcf7cf3b45b3f6d9b7ff67a67e5
-
memory/1132-137-0x0000000000000000-mapping.dmp
-
memory/1132-139-0x0000000074060000-0x0000000074611000-memory.dmpFilesize
5.7MB
-
memory/1496-134-0x0000000000000000-mapping.dmp
-
memory/5104-133-0x0000000074060000-0x0000000074611000-memory.dmpFilesize
5.7MB
-
memory/5104-130-0x0000000000000000-mapping.dmp