Analysis
-
max time kernel
64s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 19:08
Static task
static1
Behavioral task
behavioral1
Sample
LIZ.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
LIZ.exe
Resource
win10v2004-20220414-en
General
-
Target
LIZ.exe
-
Size
86KB
-
MD5
208325c2e57a7d0c51d5b0ad2d7d8248
-
SHA1
2bfb81ff22483ddf16e0cd792f3cdc26799b0c3a
-
SHA256
fd8ecb99ecee0d54565a781a729ee7ad19203a5105820981d5e818c45d09f82f
-
SHA512
b8edb0a68dbc685a1b9bc99e83067fa6b69a0650decf1a189e405a61dc7fc192b36d2e6a51b7695069d3f31a794219a7816609ca6602c24e4d04cd3d699ceaa9
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
LIZ.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LIZ.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
LIZ.exepid process 1288 LIZ.exe -
Loads dropped DLL 3 IoCs
Processes:
LIZ.exepid process 1912 LIZ.exe 1912 LIZ.exe 1912 LIZ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
LIZ.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE LIZ.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE LIZ.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe LIZ.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE LIZ.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe LIZ.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE LIZ.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe LIZ.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE LIZ.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe LIZ.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE LIZ.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe LIZ.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE LIZ.exe -
Drops file in Windows directory 1 IoCs
Processes:
LIZ.exedescription ioc process File opened for modification C:\Windows\svchost.com LIZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
LIZ.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LIZ.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
LIZ.exedescription pid process target process PID 1912 wrote to memory of 1288 1912 LIZ.exe LIZ.exe PID 1912 wrote to memory of 1288 1912 LIZ.exe LIZ.exe PID 1912 wrote to memory of 1288 1912 LIZ.exe LIZ.exe PID 1912 wrote to memory of 1288 1912 LIZ.exe LIZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LIZ.exe"C:\Users\Admin\AppData\Local\Temp\LIZ.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exeFilesize
46KB
MD591d250c1e5c73c743b0e3becd2296969
SHA113952c214f73fb5ea56c0eca570faf8e45313b0f
SHA256987c83dbf43df97430783c0098318cc6b1c41e52d460128746f7e89bd052ba5d
SHA512b6cf1538bb2f5c82e9388579837b7d19777208d64284bf9495b7612e9e2de961ab6819fc6d4b538608343baab4c27c04897182d1dd95c215a1197c193b2f3857
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exeFilesize
46KB
MD591d250c1e5c73c743b0e3becd2296969
SHA113952c214f73fb5ea56c0eca570faf8e45313b0f
SHA256987c83dbf43df97430783c0098318cc6b1c41e52d460128746f7e89bd052ba5d
SHA512b6cf1538bb2f5c82e9388579837b7d19777208d64284bf9495b7612e9e2de961ab6819fc6d4b538608343baab4c27c04897182d1dd95c215a1197c193b2f3857
-
\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exeFilesize
46KB
MD591d250c1e5c73c743b0e3becd2296969
SHA113952c214f73fb5ea56c0eca570faf8e45313b0f
SHA256987c83dbf43df97430783c0098318cc6b1c41e52d460128746f7e89bd052ba5d
SHA512b6cf1538bb2f5c82e9388579837b7d19777208d64284bf9495b7612e9e2de961ab6819fc6d4b538608343baab4c27c04897182d1dd95c215a1197c193b2f3857
-
memory/1288-57-0x0000000000000000-mapping.dmp
-
memory/1912-54-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB