Analysis

  • max time kernel
    156s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 17:57

General

  • Target

    c2c53aa04c98f8e12e194f82fe5e5b0f739b96e72089be43a91cd88bfa8b046d.exe

  • Size

    244KB

  • MD5

    75f0e608e891f7fb2db214dcf1421e80

  • SHA1

    d55f4b135b630f4e004a4143c7f5dcce804b2f69

  • SHA256

    c2c53aa04c98f8e12e194f82fe5e5b0f739b96e72089be43a91cd88bfa8b046d

  • SHA512

    ebc8031d635ab81acfcd6a6847e494cb24558b957a016756fb351947cb36cfc5e87b6f674bd5218b71cc802d2a96cdc2503e8d2e0ff7134e7ba4d48ae4e9741f

  • SSDEEP

    6144:k9iZMdo1pxtJLl8m6IRP0MkPZqDOeENYt/eENYtW:HZJ1l5RMMswEYt2EYtW

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2c53aa04c98f8e12e194f82fe5e5b0f739b96e72089be43a91cd88bfa8b046d.exe
    "C:\Users\Admin\AppData\Local\Temp\c2c53aa04c98f8e12e194f82fe5e5b0f739b96e72089be43a91cd88bfa8b046d.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\3582-490\c2c53aa04c98f8e12e194f82fe5e5b0f739b96e72089be43a91cd88bfa8b046d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\c2c53aa04c98f8e12e194f82fe5e5b0f739b96e72089be43a91cd88bfa8b046d.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3100

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\c2c53aa04c98f8e12e194f82fe5e5b0f739b96e72089be43a91cd88bfa8b046d.exe

          Filesize

          203KB

          MD5

          668255fe3a3c7e8fcfffc2088d4a602d

          SHA1

          ce5b074b1631b282500193aa198ecf67cd5ec8be

          SHA256

          00ec911203580f9aaa7b7d117cf42bbda18097f545c57ce33c6c544bb82f0c8b

          SHA512

          ea9cc3a1ab7e0ae544447aab251f4b4708aadfb777ec1e47ca263abb1d2bc857c78da2f2866035419c0566804ddce635ef98689a08a228076c4aa89e09a14dde

        • C:\Users\Admin\AppData\Local\Temp\3582-490\c2c53aa04c98f8e12e194f82fe5e5b0f739b96e72089be43a91cd88bfa8b046d.exe

          Filesize

          203KB

          MD5

          668255fe3a3c7e8fcfffc2088d4a602d

          SHA1

          ce5b074b1631b282500193aa198ecf67cd5ec8be

          SHA256

          00ec911203580f9aaa7b7d117cf42bbda18097f545c57ce33c6c544bb82f0c8b

          SHA512

          ea9cc3a1ab7e0ae544447aab251f4b4708aadfb777ec1e47ca263abb1d2bc857c78da2f2866035419c0566804ddce635ef98689a08a228076c4aa89e09a14dde

        • memory/3100-135-0x0000000000400000-0x0000000000465000-memory.dmp

          Filesize

          404KB