neshta | 4d8e5e85b3d49509eab8e7ffebad940147ed950fcddab60e8a13409dfc2b8fc5

Resubmissions

28-05-2022 09:40

220528-lnm9vaggek 10

26-05-2022 13:49

220526-q4qr5abhh8 10

Analysis

max time kernel
10s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
28-05-2022 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Petya.exe
Size

266KB
MD5

505e38e344f45ea9ff9c9b560d851c1e
SHA1

c5e934de62fbbad105eef0ec1b533ca00aba05b0
SHA256

4d8e5e85b3d49509eab8e7ffebad940147ed950fcddab60e8a13409dfc2b8fc5
SHA512

6dcc186c7e71fbd104eb0c29777525e59c43aaa6a6e6a439ae2805e1f8d1589c200ce7b5cb622519b9ad8f4480615e8e980132b617e944c3017462a411898689

Score

10^/10

neshta bootkit persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

Petya.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Petya.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

Petya.exe

pid process

1332 Petya.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Petya.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Petya.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Petya.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Petya.exe
Drops file in Windows directory 1 IoCs

Processes:

Petya.exe

description ioc process

File opened for modification C:\Windows\svchost.com Petya.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Petya.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" Petya.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Petya.exe

description pid process

Token: SeShutdownPrivilege 1332 Petya.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Petya.exe

pid	process
1332	Petya.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Petya.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Petya.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	Petya.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Petya.exe

description	pid	process
Token: SeShutdownPrivilege	1332	Petya.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Petya.exe

description	pid	process	target process
PID 1908 wrote to memory of 1332	1908	Petya.exe	Petya.exe
PID 1908 wrote to memory of 1332	1908	Petya.exe	Petya.exe
PID 1908 wrote to memory of 1332	1908	Petya.exe	Petya.exe

C:\Users\Admin\AppData\Local\Temp\Petya.exe
"C:\Users\Admin\AppData\Local\Temp\Petya.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\3582-490\Petya.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\Petya.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\Petya.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
memory/1332-130-0x0000000000000000-mapping.dmp

Download
memory/1332-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-133-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download