Analysis

  • max time kernel
    191s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 17:58

General

  • Target

    a5031380b47f394f7a025bf30bccfea75b990a8b03b89ef4d7440b8fe25cab47.exe

  • Size

    171KB

  • MD5

    6880a05d8d25958b80fd27416bb57a25

  • SHA1

    25e34619d3921e2bd4cfdc222e872915334f5138

  • SHA256

    a5031380b47f394f7a025bf30bccfea75b990a8b03b89ef4d7440b8fe25cab47

  • SHA512

    97c0f23476968ac89c3a3d9bafc78e3d4546ef106fffad652d2eba8797d8759f84b40848d5d313d3445614873cc3816c8d7361ea591e71eec0c7751ba959d89f

  • SSDEEP

    1536:JxqjQ+P04wsmJC/AMysrvCdqygA1srvCdqygA+:sr85Ccsb4gA1sb4gA+

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5031380b47f394f7a025bf30bccfea75b990a8b03b89ef4d7440b8fe25cab47.exe
    "C:\Users\Admin\AppData\Local\Temp\a5031380b47f394f7a025bf30bccfea75b990a8b03b89ef4d7440b8fe25cab47.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a5031380b47f394f7a025bf30bccfea75b990a8b03b89ef4d7440b8fe25cab47.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a5031380b47f394f7a025bf30bccfea75b990a8b03b89ef4d7440b8fe25cab47.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:864

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\a5031380b47f394f7a025bf30bccfea75b990a8b03b89ef4d7440b8fe25cab47.exe

          Filesize

          130KB

          MD5

          713f6a152d67a1c9673ac63c9d1a4ca8

          SHA1

          067ca4b86fb3daa311faee59c2e155559c73db33

          SHA256

          a20ae7047a0fcfe59f07bd9b88d8590cbeaf55020a0257ab21ffa5aaae65215e

          SHA512

          ef5ec5b357dfd82baafc5283032710dac8e46ddc6cab101017085f90cc326b0195faa58a1cc44b279f3661249a5137d88a7ee9059fe07d06b794407b5032df66

        • C:\Users\Admin\AppData\Local\Temp\3582-490\a5031380b47f394f7a025bf30bccfea75b990a8b03b89ef4d7440b8fe25cab47.exe

          Filesize

          130KB

          MD5

          713f6a152d67a1c9673ac63c9d1a4ca8

          SHA1

          067ca4b86fb3daa311faee59c2e155559c73db33

          SHA256

          a20ae7047a0fcfe59f07bd9b88d8590cbeaf55020a0257ab21ffa5aaae65215e

          SHA512

          ef5ec5b357dfd82baafc5283032710dac8e46ddc6cab101017085f90cc326b0195faa58a1cc44b279f3661249a5137d88a7ee9059fe07d06b794407b5032df66

        • memory/864-135-0x0000000000400000-0x0000000000419000-memory.dmp

          Filesize

          100KB