Analysis

  • max time kernel
    114s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2022 15:10

General

  • Target

    1.exe

  • Size

    851KB

  • MD5

    286099dac2f03c7764d9fc6d8c5e02e2

  • SHA1

    eedd56af4f225f991eb63f37597d7ab6e4abeac7

  • SHA256

    4d6bee9938b85e65fabba0b920efcff479e565ebbdd91a7d6a631fa7475e9f74

  • SHA512

    63cf51afd8a4cf8c8afdb498dbf589b12b86c8b978313e9a41ad9dbf1f511cac55b938fa479b8d76e1330df7b7dd6c5be94759165467eb234d6dbc5380edc3b9

Malware Config

Signatures

  • Detect Neshta payload 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1264
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:1044
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
        • Modifies system executable filetype association
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        PID:1048
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:1996

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\WIRKPK~1\Ddhnvo.exe

      Filesize

      891KB

      MD5

      2bae35cb37885221cf82174985f7854d

      SHA1

      0bd3a8e0c33f9b3104c78b67d44bad5d0fbb6303

      SHA256

      9bf43016236415af949773be2d6977c08e450f66efd95b83febf2148f8dc1307

      SHA512

      50bf9d587eb3d3df7ee4a41e8d87568a200f662c39213127a7893d3fd68830a8bc79940a1f8ba895b0e52057744532b6fe120b9214bf15ada13523ab16c6ff3f

    • memory/1044-140-0x0000000000000000-mapping.dmp

    • memory/1048-148-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1048-147-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1048-145-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1048-144-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1048-143-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1048-142-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1048-141-0x0000000000000000-mapping.dmp

    • memory/1264-134-0x0000000005170000-0x0000000005798000-memory.dmp

      Filesize

      6.2MB

    • memory/1264-139-0x00000000065C0000-0x00000000065DA000-memory.dmp

      Filesize

      104KB

    • memory/1264-138-0x0000000007710000-0x0000000007D8A000-memory.dmp

      Filesize

      6.5MB

    • memory/1264-137-0x00000000060C0000-0x00000000060DE000-memory.dmp

      Filesize

      120KB

    • memory/1264-136-0x0000000005A60000-0x0000000005AC6000-memory.dmp

      Filesize

      408KB

    • memory/1264-135-0x00000000059F0000-0x0000000005A56000-memory.dmp

      Filesize

      408KB

    • memory/1264-133-0x0000000004B00000-0x0000000004B36000-memory.dmp

      Filesize

      216KB

    • memory/1264-132-0x0000000000000000-mapping.dmp

    • memory/4324-130-0x0000000000EC0000-0x0000000000F9A000-memory.dmp

      Filesize

      872KB

    • memory/4324-131-0x00000000059F0000-0x0000000005A12000-memory.dmp

      Filesize

      136KB