Overview

overview

10

Static

static

10

6faa6b7040...58.exe

windows7_x64

10

6faa6b7040...58.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    89s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 02:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe

  • Size

    694KB

  • MD5

    379a1a8ee773f5cac581582ecb564edf

  • SHA1

    0bbc529e9f65ddc70adb582fd4f637de5c5a57c1

  • SHA256

    6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58

  • SHA512

    86b5ecf17982169f138cd43839654551ad2148d34fdd99af04397b807895aee89de44c17e26272046fa0cafea99e034894f43ecdca76d0401449ecd81c4ebb61

Score
10/10
neshtapersistencespyware

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe
    "C:\Users\Admin\AppData\Local\Temp\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\3582-490\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe"
      2⤵
      • Executes dropped EXE
      PID:5048
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 5048 -s 800
        3⤵
        • Program crash
        PID:672
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 204 -p 5048 -ip 5048
    1⤵
      PID:4724

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe
      Filesize

      653KB

      MD5

      b78bc6dc4e5f2b0a6e651b34b54c37d2

      SHA1

      e19188dbfad20b61ff7f36585a9f5225f3a4f6b8

      SHA256

      24491ebdb6641ca0ba23fc6a0f10e75a5520e924ef0901072a1413b23eff5711

      SHA512

      724c61065c51f367ada9cbdeb993ea68fecca0635852d7bba24e8dd2c7e7818ece9a75ba214a0a49f63c6964fe73f2d8824c17170e58d8196e405bc66fb28ee5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\6faa6b70401bda86a53e85c24e767fb918206a83d365ce6e7dcf4df7b3982b58.exe
      Filesize

      653KB

      MD5

      b78bc6dc4e5f2b0a6e651b34b54c37d2

      SHA1

      e19188dbfad20b61ff7f36585a9f5225f3a4f6b8

      SHA256

      24491ebdb6641ca0ba23fc6a0f10e75a5520e924ef0901072a1413b23eff5711

      SHA512

      724c61065c51f367ada9cbdeb993ea68fecca0635852d7bba24e8dd2c7e7818ece9a75ba214a0a49f63c6964fe73f2d8824c17170e58d8196e405bc66fb28ee5

      Download Submit
    • memory/5048-133-0x0000012E77D70000-0x0000012E77E18000-memory.dmp
      Filesize

      672KB

      Download
    • memory/5048-130-0x0000000000000000-mapping.dmp
      Download
    • memory/5048-134-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp
      Filesize

      10.8MB

      Download