Analysis
-
max time kernel
103s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:51
Static task
static1
Behavioral task
behavioral1
Sample
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
Resource
win10v2004-20220414-en
General
-
Target
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
-
Size
602KB
-
MD5
993b822d6ddede8b886635e88f83cf59
-
SHA1
01ec71e477dc29260e46ce2ee716a81a84eb176d
-
SHA256
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480
-
SHA512
37ebdb7192380410f69aaaec4f6f0ce681182fe7a0fb6183b8cd98aa842530e580751086ec421f985cc7ee58bba618bb4329fa957601150e910039ecf03634c9
Malware Config
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule C:\odt\office2016setup.exe family_neshta C:\Users\Admin\AppData\Roaming\Ground.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exepid process 2676 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exedescription ioc process File created C:\Program Files\Java\jdk1.8.0_66\bin\gjinfo.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\gappvcleaner.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\gSmartTagInstall.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\gjcmd.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\gjdeps.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\gjavah.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Google\Chrome\Application\chrome.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\gjstat.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\gAppSharingHookController.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\gaccicons.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\gAppVDllSurrogate32.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\gappletviewer.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\gjstatd.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\7-Zip\g7zFM.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\7-Zip\gUninstall.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\gSmartTagInstall.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\gchrome.exe.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\gnotification_helper.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Google\Chrome\Application\gchrome_proxy.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\gjstat.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\gFLTLDR.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\gmisc.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\gmisc.ico 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.exe.sig 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe -
Drops file in Windows directory 2 IoCs
Processes:
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exedescription ioc process File opened for modification C:\Windows\svchost.com 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe File opened for modification C:\Windows\bfsvc.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exedescription pid process target process PID 660 wrote to memory of 2676 660 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe PID 660 wrote to memory of 2676 660 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe PID 660 wrote to memory of 2676 660 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe"C:\Users\Admin\AppData\Local\Temp\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exeFilesize
562KB
MD5be3ae6a678ccd948d3f0bfccdf314148
SHA10734c70c1ae5a1b40684e9a6ba36d8afaf01aed1
SHA256881cd1d326dd557a5b27ba322df35e8cd51d3be2f90ef427d19e1ca7cc245c94
SHA512439ece7c9ba256dbf97bba2852ac157f4ed8f20503aa08144c6719e47986961b9d1f4d02e80846bec0da81dfcc0cd38e20084385e00b4bbd96d0292f991cf6c4
-
C:\Users\Admin\AppData\Local\Temp\3582-490\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exeFilesize
562KB
MD5be3ae6a678ccd948d3f0bfccdf314148
SHA10734c70c1ae5a1b40684e9a6ba36d8afaf01aed1
SHA256881cd1d326dd557a5b27ba322df35e8cd51d3be2f90ef427d19e1ca7cc245c94
SHA512439ece7c9ba256dbf97bba2852ac157f4ed8f20503aa08144c6719e47986961b9d1f4d02e80846bec0da81dfcc0cd38e20084385e00b4bbd96d0292f991cf6c4
-
C:\Users\Admin\AppData\Roaming\Ground.exeFilesize
602KB
MD5993b822d6ddede8b886635e88f83cf59
SHA101ec71e477dc29260e46ce2ee716a81a84eb176d
SHA25652865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480
SHA51237ebdb7192380410f69aaaec4f6f0ce681182fe7a0fb6183b8cd98aa842530e580751086ec421f985cc7ee58bba618bb4329fa957601150e910039ecf03634c9
-
C:\odt\office2016setup.exeFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/2676-130-0x0000000000000000-mapping.dmp
-
memory/2676-133-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/2676-136-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB