Analysis
-
max time kernel
147s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 19:08
Static task
static1
Behavioral task
behavioral1
Sample
LIZ.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
LIZ.exe
Resource
win10v2004-20220414-en
General
-
Target
LIZ.exe
-
Size
86KB
-
MD5
208325c2e57a7d0c51d5b0ad2d7d8248
-
SHA1
2bfb81ff22483ddf16e0cd792f3cdc26799b0c3a
-
SHA256
fd8ecb99ecee0d54565a781a729ee7ad19203a5105820981d5e818c45d09f82f
-
SHA512
b8edb0a68dbc685a1b9bc99e83067fa6b69a0650decf1a189e405a61dc7fc192b36d2e6a51b7695069d3f31a794219a7816609ca6602c24e4d04cd3d699ceaa9
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
LIZ.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LIZ.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
LIZ.exepid process 1456 LIZ.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LIZ.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation LIZ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
LIZ.exedescription ioc process File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe LIZ.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~4.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE LIZ.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe LIZ.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE LIZ.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe LIZ.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE LIZ.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe LIZ.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE LIZ.exe -
Drops file in Windows directory 1 IoCs
Processes:
LIZ.exedescription ioc process File opened for modification C:\Windows\svchost.com LIZ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
LIZ.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LIZ.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
LIZ.exedescription pid process target process PID 2856 wrote to memory of 1456 2856 LIZ.exe LIZ.exe PID 2856 wrote to memory of 1456 2856 LIZ.exe LIZ.exe PID 2856 wrote to memory of 1456 2856 LIZ.exe LIZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LIZ.exe"C:\Users\Admin\AppData\Local\Temp\LIZ.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exeFilesize
46KB
MD591d250c1e5c73c743b0e3becd2296969
SHA113952c214f73fb5ea56c0eca570faf8e45313b0f
SHA256987c83dbf43df97430783c0098318cc6b1c41e52d460128746f7e89bd052ba5d
SHA512b6cf1538bb2f5c82e9388579837b7d19777208d64284bf9495b7612e9e2de961ab6819fc6d4b538608343baab4c27c04897182d1dd95c215a1197c193b2f3857
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exeFilesize
46KB
MD591d250c1e5c73c743b0e3becd2296969
SHA113952c214f73fb5ea56c0eca570faf8e45313b0f
SHA256987c83dbf43df97430783c0098318cc6b1c41e52d460128746f7e89bd052ba5d
SHA512b6cf1538bb2f5c82e9388579837b7d19777208d64284bf9495b7612e9e2de961ab6819fc6d4b538608343baab4c27c04897182d1dd95c215a1197c193b2f3857
-
memory/1456-130-0x0000000000000000-mapping.dmp