Analysis
-
max time kernel
89s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 02:30
Static task
static1
Behavioral task
behavioral1
Sample
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe
Resource
win10v2004-20220414-en
General
-
Target
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe
-
Size
694KB
-
MD5
379a1a8ee773f5cac581582ecb564edf
-
SHA1
0bbc529e9f65ddc70adb582fd4f637de5c5a57c1
-
SHA256
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58
-
SHA512
86b5ecf17982169f138cd43839654551ad2148d34fdd99af04397b807895aee89de44c17e26272046fa0cafea99e034894f43ecdca76d0401449ecd81c4ebb61
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exepid process 5048 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe -
Drops file in Program Files directory 14 IoCs
Processes:
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe -
Drops file in Windows directory 1 IoCs
Processes:
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exedescription ioc process File opened for modification C:\Windows\svchost.com 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 672 5048 WerFault.exe 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe -
Modifies registry class 1 IoCs
Processes:
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exedescription pid process target process PID 1160 wrote to memory of 5048 1160 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe PID 1160 wrote to memory of 5048 1160 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe 6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe"C:\Users\Admin\AppData\Local\Temp\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe"2⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5048 -s 8003⤵
- Program crash
PID:672
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 204 -p 5048 -ip 50481⤵PID:4724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exeFilesize
653KB
MD5b78bc6dc4e5f2b0a6e651b34b54c37d2
SHA1e19188dbfad20b61ff7f36585a9f5225f3a4f6b8
SHA25624491ebdb6641ca0ba23fc6a0f10e75a5520e924ef0901072a1413b23eff5711
SHA512724c61065c51f367ada9cbdeb993ea68fecca0635852d7bba24e8dd2c7e7818ece9a75ba214a0a49f63c6964fe73f2d8824c17170e58d8196e405bc66fb28ee5
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exeFilesize
653KB
MD5b78bc6dc4e5f2b0a6e651b34b54c37d2
SHA1e19188dbfad20b61ff7f36585a9f5225f3a4f6b8
SHA25624491ebdb6641ca0ba23fc6a0f10e75a5520e924ef0901072a1413b23eff5711
SHA512724c61065c51f367ada9cbdeb993ea68fecca0635852d7bba24e8dd2c7e7818ece9a75ba214a0a49f63c6964fe73f2d8824c17170e58d8196e405bc66fb28ee5
-
memory/5048-133-0x0000012E77D70000-0x0000012E77E18000-memory.dmpFilesize
672KB
-
memory/5048-130-0x0000000000000000-mapping.dmp
-
memory/5048-134-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmpFilesize
10.8MB