Analysis
-
max time kernel
160s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 06:48
Static task
static1
Behavioral task
behavioral1
Sample
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
Resource
win10v2004-20220414-en
General
-
Target
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
-
Size
562KB
-
MD5
4bf385ae946b98e2679998ce449c2474
-
SHA1
c6a097bd4174d9cc319972ef00c22ee891b839f7
-
SHA256
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e
-
SHA512
3ed10d09d750f200fc155672c7d7ba21ed4e230cd0eaae4634327770984831c489bb3967e55b263fe54280a47a7c5a5abfad5e627a69a7d7064ce3f4d55c9a9c
Malware Config
Signatures
-
Detect Neshta Payload 2 IoCs
Processes:
resource yara_rule C:\odt\office2016setup.exe family_neshta C:\Users\Admin\AppData\Roaming\Ground.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exepid process 3144 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\gchrome_proxy.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\gDW20.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\7-Zip\g7z.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\gjrunscript.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\geqnedt32.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Microsoft Office 15\ClientX64\gIntegratedOffice.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\gelevation_service.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\gchrmstp.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\gAppVShNotify.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Google\Chrome\Application\gchrome.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\gextcheck.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\gjconsole.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\gidlj.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\gSQLDumper.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\gMavInject32.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Windows Mail\wab.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCXA4F.tmp 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\gSQLDumper.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\gSQLDumper.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\gjava-rmi.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\7-Zip\g7zFM.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\gjava-rmi.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\gjavap.ico 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\gjhat.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe -
Drops file in Windows directory 2 IoCs
Processes:
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exedescription ioc process File opened for modification C:\Windows\svchost.com 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe File opened for modification C:\Windows\bfsvc.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exedescription pid process target process PID 4460 wrote to memory of 3144 4460 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe PID 4460 wrote to memory of 3144 4460 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe PID 4460 wrote to memory of 3144 4460 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe"C:\Users\Admin\AppData\Local\Temp\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exeFilesize
521KB
MD54dd7aaab9842afd62abfd1dea54088a9
SHA186128fa917b8ad84da7b0468d6fe011c05c69bfc
SHA2566b2fe92e9c5c271f76c080a63f472f545ed2c94a8a787774a84017786d91aa51
SHA512af78d47b727ab880402d171c6824592b9e9824fc6759bfb77e87ce610dc510c25fe82750dc995a95e41a5aea583c617e02f3180571f5fd846bda84e51c8621b5
-
C:\Users\Admin\AppData\Local\Temp\3582-490\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exeFilesize
521KB
MD54dd7aaab9842afd62abfd1dea54088a9
SHA186128fa917b8ad84da7b0468d6fe011c05c69bfc
SHA2566b2fe92e9c5c271f76c080a63f472f545ed2c94a8a787774a84017786d91aa51
SHA512af78d47b727ab880402d171c6824592b9e9824fc6759bfb77e87ce610dc510c25fe82750dc995a95e41a5aea583c617e02f3180571f5fd846bda84e51c8621b5
-
C:\Users\Admin\AppData\Roaming\Ground.exeFilesize
562KB
MD54bf385ae946b98e2679998ce449c2474
SHA1c6a097bd4174d9cc319972ef00c22ee891b839f7
SHA25669b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e
SHA5123ed10d09d750f200fc155672c7d7ba21ed4e230cd0eaae4634327770984831c489bb3967e55b263fe54280a47a7c5a5abfad5e627a69a7d7064ce3f4d55c9a9c
-
C:\odt\office2016setup.exeFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/3144-130-0x0000000000000000-mapping.dmp
-
memory/3144-133-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/3144-134-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB