Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2022, 13:36

General

  • Target

    PURCHASE ORDER No. 2210748.exe

  • Size

    60KB

  • MD5

    8626c81eed96c8096820864fc005d248

  • SHA1

    b383487bcda8ac2a8763a31cc9de3b1ddea472cd

  • SHA256

    1e6e0886d9d29f56259e1a5a7890727af76f8f46011341f755381704aa32ce36

  • SHA512

    41187c9b45ee252d46718d37d1563a958a487f33e60592c7ed3f1db8a8911727ab95eef254eb57e4247dd68ae5298bf23631fb0ac721d053df62c7302826ed37

  • SSDEEP

    1536:75XYNK5uDUaQl+kzdC9GiZQWSwi/fUpS/fX/MNZ:7CQ5uis1Jy///f/M7

Malware Config

Signatures

  • Detect Neshta payload 5 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe
    "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3104
    • C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe
      "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"
      2⤵
        PID:2976
      • C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe
        "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER No. 2210748.exe"
        2⤵
        • Modifies system executable filetype association
        • Checks computer location settings
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Modifies registry class
        PID:1572

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\VDKDQO~1\Aghhy.exe

      Filesize

      60KB

      MD5

      8626c81eed96c8096820864fc005d248

      SHA1

      b383487bcda8ac2a8763a31cc9de3b1ddea472cd

      SHA256

      1e6e0886d9d29f56259e1a5a7890727af76f8f46011341f755381704aa32ce36

      SHA512

      41187c9b45ee252d46718d37d1563a958a487f33e60592c7ed3f1db8a8911727ab95eef254eb57e4247dd68ae5298bf23631fb0ac721d053df62c7302826ed37

    • memory/224-133-0x00000000054E0000-0x0000000005A84000-memory.dmp

      Filesize

      5.6MB

    • memory/224-134-0x0000000004FD0000-0x0000000005062000-memory.dmp

      Filesize

      584KB

    • memory/224-135-0x0000000004F70000-0x0000000004F7A000-memory.dmp

      Filesize

      40KB

    • memory/224-136-0x0000000006600000-0x0000000006622000-memory.dmp

      Filesize

      136KB

    • memory/224-132-0x0000000000460000-0x0000000000474000-memory.dmp

      Filesize

      80KB

    • memory/1572-152-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1572-150-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1572-148-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1572-149-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/1572-147-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/3104-144-0x0000000006D70000-0x0000000006D8A000-memory.dmp

      Filesize

      104KB

    • memory/3104-143-0x00000000080C0000-0x000000000873A000-memory.dmp

      Filesize

      6.5MB

    • memory/3104-142-0x0000000006870000-0x000000000688E000-memory.dmp

      Filesize

      120KB

    • memory/3104-141-0x0000000006280000-0x00000000062E6000-memory.dmp

      Filesize

      408KB

    • memory/3104-140-0x00000000061A0000-0x0000000006206000-memory.dmp

      Filesize

      408KB

    • memory/3104-139-0x0000000005B00000-0x0000000006128000-memory.dmp

      Filesize

      6.2MB

    • memory/3104-138-0x0000000002F30000-0x0000000002F66000-memory.dmp

      Filesize

      216KB