Analysis
-
max time kernel
65s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 03:53
Static task
static1
Behavioral task
behavioral1
Sample
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
Resource
win10v2004-20220414-en
General
-
Target
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
-
Size
2.7MB
-
MD5
30886a4a12473e0426dee2068c918487
-
SHA1
d5bec6ceafb4fd8c8a0834355c9451fc4c781497
-
SHA256
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8
-
SHA512
342cf921f0447e670a99223547a98fcc572353342b87c3ef836a65bf8cb24f94a89421b10bd602eba4205e647871b40e2344a0d12a2215c58044eaaac6fb5853
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exepid process 4308 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe -
Drops file in Windows directory 1 IoCs
Processes:
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exedescription ioc process File opened for modification C:\Windows\svchost.com 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4780 4308 WerFault.exe 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe -
Modifies registry class 1 IoCs
Processes:
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exedescription pid process target process PID 4164 wrote to memory of 4308 4164 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe PID 4164 wrote to memory of 4308 4164 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe"C:\Users\Admin\AppData\Local\Temp\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\3582-490\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe"2⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4308 -s 10123⤵
- Program crash
PID:4780
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 4308 -ip 43081⤵PID:4348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exeFilesize
2.0MB
MD58176d0d1d53a67e0dc411e1344fceafe
SHA19b9e122b2fd902b69a46c7c8d18eeaf03bae593c
SHA2564ba6a825975e9c9480b8cce72f711f768faed3c8b09828b8c54b5427279eda27
SHA5123a91e0a9cf4a720e90c31fbd2a3c01174dfbe259e2e89ddb83013c971d1b0b1676577673ab496115d5c312e3d705432e9a81e402865add260ebf24647bc3ec4e
-
C:\Users\Admin\AppData\Local\Temp\3582-490\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exeFilesize
2.0MB
MD53f82c3a400adfe27d5b390da886669c1
SHA1a557ec9223e211ae905685c93045e92798e79077
SHA256798871abc2179797b919a39b7d4469070c3c4e52bfde0ee190c19a58f42fe04e
SHA512a27604c50ea67213822ff24a6dd2875396f37abf2392747c7059e20fa82cac9fed2ad0c1e4c47734e4744b8424386b893e4c47449c38eb197b2810354907d97c
-
memory/4308-130-0x0000000000000000-mapping.dmp
-
memory/4308-133-0x0000000000210000-0x00000000004C8000-memory.dmpFilesize
2.7MB
-
memory/4308-134-0x00007FFB4FB80000-0x00007FFB50641000-memory.dmpFilesize
10.8MB