Analysis
-
max time kernel
6s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 14:07
Static task
static1
Behavioral task
behavioral1
Sample
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
Resource
win10v2004-20220414-en
General
-
Target
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
-
Size
4.2MB
-
MD5
e1e261cf3c2c0b128cab982171468b74
-
SHA1
ee721c539932808cb3e4691ae94c6fd27ab9e53d
-
SHA256
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594
-
SHA512
020f39f242e148540e20c25fcdf1dc52a0a112252262a14f6028f51ed174a7bf66480c8c99cafb8feea8c096dbfe8e5f95121cadbb0264133cd95ef033b9c6b3
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exepid process 4856 ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe -
Drops file in Windows directory 1 IoCs
Processes:
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exedescription ioc process File opened for modification C:\Windows\svchost.com ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exedescription pid process target process PID 1848 wrote to memory of 4856 1848 ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe PID 1848 wrote to memory of 4856 1848 ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe PID 1848 wrote to memory of 4856 1848 ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe"C:\Users\Admin\AppData\Local\Temp\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\3582-490\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe"2⤵
- Executes dropped EXE
PID:4856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exeFilesize
501KB
MD5e5d76d029ef37c45411945a4c4083282
SHA1975e4c15e6618bcecb483dd96c55e008f9b14341
SHA2560fa230fff1d267b80b8afb6822dd3df567efea06b4e10b1f8449d5792a4394c5
SHA51211014fab54b2ff8719035bc45cddf3b7a604aa66026544dd9b4bf42eced27cd47bcac07022121e40098266bfa5fcc6a754d591fc67b1aea384a1685eff2347ca
-
C:\Users\Admin\AppData\Local\Temp\3582-490\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exeFilesize
93KB
MD5daf23df308246f667173127a55fbe463
SHA15f03005e9356e920dc9e5644918be293275f919b
SHA25646c8d626674d408c991b55b9e01e7f2bff8a579826768cc902f463eac9701046
SHA5129d4157d8d6744aa46dfb4717a3b81d70af7412fb4352b4f68661edd2dacbcaa57f42150c2ca709e02471aaa4b508eddcc1d1018f435d82a2694a02b3a4bd9937
-
memory/4856-130-0x0000000000000000-mapping.dmp