Analysis
-
max time kernel
169s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 17:57
Behavioral task
behavioral1
Sample
b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe
Resource
win10v2004-20220812-en
General
-
Target
b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe
-
Size
3.7MB
-
MD5
62d4256852d08b7e9dd71aed4dcda794
-
SHA1
9811d13368a7329182cbc5dfe0c241106266b94a
-
SHA256
b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced
-
SHA512
1deebadac5596c25400901058fd7569f3cd36292e88970dca58653a74ad5e69f7362bbdf76a92ebe1c707832b959b4a3408ebf8d88093ce27590ea207ae2699e
-
SSDEEP
98304:BLBjd/mxsp0xW6oyx8roRJcRN8VOTDsU3JeoGjRfYeio0:VBjd/Cbo6vx+ooRqVED7Un5zio
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000022f66-138.dat family_neshta behavioral2/files/0x0007000000022f66-139.dat family_neshta behavioral2/files/0x0004000000009f6a-151.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
pid Process 4940 b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe 2404 svchost.com 3176 TEAMVI~1.EXE -
resource yara_rule behavioral2/files/0x0008000000022f5f-134.dat upx behavioral2/files/0x0008000000022f5f-133.dat upx behavioral2/memory/4940-135-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral2/memory/4940-141-0x0000000000400000-0x000000000043E000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe -
Loads dropped DLL 8 IoCs
pid Process 4940 b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe 3176 TEAMVI~1.EXE 3176 TEAMVI~1.EXE 3176 TEAMVI~1.EXE 3176 TEAMVI~1.EXE 3176 TEAMVI~1.EXE 3176 TEAMVI~1.EXE 3176 TEAMVI~1.EXE -
Drops file in Program Files directory 30 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2288 wrote to memory of 4940 2288 b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe 79 PID 2288 wrote to memory of 4940 2288 b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe 79 PID 2288 wrote to memory of 4940 2288 b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe 79 PID 4940 wrote to memory of 2404 4940 b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe 82 PID 4940 wrote to memory of 2404 4940 b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe 82 PID 4940 wrote to memory of 2404 4940 b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe 82 PID 2404 wrote to memory of 3176 2404 svchost.com 83 PID 2404 wrote to memory of 3176 2404 svchost.com 83 PID 2404 wrote to memory of 3176 2404 svchost.com 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe"C:\Users\Admin\AppData\Local\Temp\b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TEAMVI~1\Version7\TEAMVI~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\TEAMVI~1\Version7\TEAMVI~1.EXEC:\Users\Admin\AppData\Local\Temp\TEAMVI~1\Version7\TEAMVI~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3176
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe
Filesize3.6MB
MD5ebc35ee0fb935102508f8d093de5dc75
SHA1b499084cd5d95e3c1ece0616eab6c593c1049e8d
SHA2560f5f032332f7c343f0d8dfa9561a18b44da8106bac9885feac44fa83e35066d7
SHA512fc6e96d5addee2c682b0ad4632378aacee909d40e60182353f01c120bdd6d2a97ca9c0afc8ebb0e668535fdd9d658ddff262a9d253324c3cfca1b3053abae1f9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b00ff2a223cf00349847087edc1eda231db103625426c732047d10bffaa11ced.exe
Filesize3.6MB
MD5ebc35ee0fb935102508f8d093de5dc75
SHA1b499084cd5d95e3c1ece0616eab6c593c1049e8d
SHA2560f5f032332f7c343f0d8dfa9561a18b44da8106bac9885feac44fa83e35066d7
SHA512fc6e96d5addee2c682b0ad4632378aacee909d40e60182353f01c120bdd6d2a97ca9c0afc8ebb0e668535fdd9d658ddff262a9d253324c3cfca1b3053abae1f9
-
Filesize
3.5MB
MD5a971db0e311901bc928f1acb15ed710c
SHA100060089e8de815cf9ed2ebe883ccb2b3a171efd
SHA256810bd053018dd55f8a54e364f03ae6522f037e95328573428012b28c799e1ee4
SHA51288e7c74fa772a74a2974c311492c7f3ac2690740f53006a2a9dabdbfc0e85b13663edac12b230764c6acecfb49d6238fea77dda4ed8abd4e62bd7f715276dfc9
-
Filesize
3.5MB
MD5a971db0e311901bc928f1acb15ed710c
SHA100060089e8de815cf9ed2ebe883ccb2b3a171efd
SHA256810bd053018dd55f8a54e364f03ae6522f037e95328573428012b28c799e1ee4
SHA51288e7c74fa772a74a2974c311492c7f3ac2690740f53006a2a9dabdbfc0e85b13663edac12b230764c6acecfb49d6238fea77dda4ed8abd4e62bd7f715276dfc9
-
Filesize
15KB
MD589351a0a6a89519c86c5531e20dab9ea
SHA19e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
SHA51213168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
141KB
MD554a82ad8fe612b1bfe5dc7406d1bd0b5
SHA102f1ebb115ef64fe54ca2d1787b04119f05afff6
SHA25680c4332936d17604a2327ae7575fd8553219bd06a35c055ff9f0face1a7a5d59
SHA512c2d00a87ecb5f4ec6e3862d0864f124bc77f95ec45a4b76fabb640a437ea1903a37f4ed123aefb39b54122329c85bde505dd3dded452c319a11ba2b5990001fe
-
Filesize
141KB
MD554a82ad8fe612b1bfe5dc7406d1bd0b5
SHA102f1ebb115ef64fe54ca2d1787b04119f05afff6
SHA25680c4332936d17604a2327ae7575fd8553219bd06a35c055ff9f0face1a7a5d59
SHA512c2d00a87ecb5f4ec6e3862d0864f124bc77f95ec45a4b76fabb640a437ea1903a37f4ed123aefb39b54122329c85bde505dd3dded452c319a11ba2b5990001fe
-
Filesize
141KB
MD554a82ad8fe612b1bfe5dc7406d1bd0b5
SHA102f1ebb115ef64fe54ca2d1787b04119f05afff6
SHA25680c4332936d17604a2327ae7575fd8553219bd06a35c055ff9f0face1a7a5d59
SHA512c2d00a87ecb5f4ec6e3862d0864f124bc77f95ec45a4b76fabb640a437ea1903a37f4ed123aefb39b54122329c85bde505dd3dded452c319a11ba2b5990001fe
-
Filesize
4KB
MD5c7ce0e47c83525983fd2c4c9566b4aad
SHA138b7ad7bb32ffae35540fce373b8a671878dc54e
SHA2566293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
-
Filesize
4KB
MD5c7ce0e47c83525983fd2c4c9566b4aad
SHA138b7ad7bb32ffae35540fce373b8a671878dc54e
SHA2566293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
-
Filesize
130KB
MD5b7641fc2d6eb0b3d81347d4936ced0bd
SHA1f05955337fbb1dd1974021927a8c07fefae6637b
SHA256681cb2b67e87915f37b6f716d53626b939d534c0c3e5e9810ad025760c798270
SHA512f7f006a7855beaaecd0159b7e4bc2d2cd6d8b1bceb1f1f2b4e73382d34aa07cbf9c3cfadd882fe79c6b971143b04fb02410ede77c7c89b429068207d3d7ddb0a
-
Filesize
40KB
MD5ea97b5948b7a39ed51b27366433b14bf
SHA1431862a792c40d11fc200af3191358768df1a50d
SHA2569bb8da63d146a60cc76c7aa73a1e31fcaac703968cd765ce261886ed6ee26b0b
SHA512cb2941639617317627b1c5a3cd01b24af547b9b05e0cef39638a5d0faf2037fd884e7930b7522aed67f7b56954a64cf57a76df2c6179c7dbfcbae063da133a46
-
Filesize
40KB
MD5ea97b5948b7a39ed51b27366433b14bf
SHA1431862a792c40d11fc200af3191358768df1a50d
SHA2569bb8da63d146a60cc76c7aa73a1e31fcaac703968cd765ce261886ed6ee26b0b
SHA512cb2941639617317627b1c5a3cd01b24af547b9b05e0cef39638a5d0faf2037fd884e7930b7522aed67f7b56954a64cf57a76df2c6179c7dbfcbae063da133a46
-
Filesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099