Analysis
-
max time kernel
104s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 03:34
Static task
static1
Behavioral task
behavioral1
Sample
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe
Resource
win10v2004-20220414-en
General
-
Target
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe
-
Size
802KB
-
MD5
0a0f18968171592d780c37040b0cc8f7
-
SHA1
b3ac11608c14718a2dda2e473404ad3be148381c
-
SHA256
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1
-
SHA512
d26b9c704da351a78009636792653a57d3fa763a6fdb99c61d04ff66b9ce340cb39ee1dc795270dccf786e3a9a6df725eea4437bb673f622faa192f87f34bc06
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exepid process 1976 b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe -
Drops file in Program Files directory 14 IoCs
Processes:
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe -
Drops file in Windows directory 1 IoCs
Processes:
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exedescription ioc process File opened for modification C:\Windows\svchost.com b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4804 1976 WerFault.exe b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe -
Modifies registry class 1 IoCs
Processes:
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exedescription pid process target process PID 2692 wrote to memory of 1976 2692 b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe PID 2692 wrote to memory of 1976 2692 b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe"C:\Users\Admin\AppData\Local\Temp\b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exe"2⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1976 -s 8043⤵
- Program crash
PID:4804
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 1976 -ip 19761⤵PID:3188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exeFilesize
762KB
MD588cfb214afe57fc40a580f62d6a0e11b
SHA13f1be26a5846781fc3226330454ff558a7cbdd93
SHA256e78ffec8206e64a0d608381b03a06bdf648971c2cb514bec2ea818969e3fd4f1
SHA5128a33e7328a692bc3ad210f3b3264b1d48df908d27fe82bfbe68179fea52ac304bc47c13410748a2561f9ae45c4dba853788b230f34a18ec14fafe591feb98393
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b9cf68589937f874c1b247cacec8f6e5ea21ed9f7a91f262a19c9fd1323f99b1.exeFilesize
762KB
MD588cfb214afe57fc40a580f62d6a0e11b
SHA13f1be26a5846781fc3226330454ff558a7cbdd93
SHA256e78ffec8206e64a0d608381b03a06bdf648971c2cb514bec2ea818969e3fd4f1
SHA5128a33e7328a692bc3ad210f3b3264b1d48df908d27fe82bfbe68179fea52ac304bc47c13410748a2561f9ae45c4dba853788b230f34a18ec14fafe591feb98393
-
memory/1976-130-0x0000000000000000-mapping.dmp
-
memory/1976-133-0x0000000000600000-0x00000000006C4000-memory.dmpFilesize
784KB
-
memory/1976-134-0x00007FFECCC70000-0x00007FFECD731000-memory.dmpFilesize
10.8MB