Analysis

  • max time kernel
    170s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 17:57

General

  • Target

    d9c601e7df7beef67f5baea78cc47fb92488218b3b9faee5b020b6d16667c13b.exe

  • Size

    1.4MB

  • MD5

    68b5d22b08d59f4e329a5103c60f9d67

  • SHA1

    5c5da1a5b98f79ed540d896f639096ee3bf081d2

  • SHA256

    d9c601e7df7beef67f5baea78cc47fb92488218b3b9faee5b020b6d16667c13b

  • SHA512

    d8575d6f5993113fe4a61932d9119a788226c070b985a6ecb4b9ddf9ea1b63cc6b19bf93c4314a9458f94a7577b97cbd92bb11965cd762b0da4354883bd101ec

  • SSDEEP

    24576:hnVolPh1JbDvHllWSbWScKKW/+SljKM0bd5ERnqGkd8w9AlEf53MXHG9TSFl4ziO:hCh1JvidvB+nHkxB3M3ITSFIiG/

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9c601e7df7beef67f5baea78cc47fb92488218b3b9faee5b020b6d16667c13b.exe
    "C:\Users\Admin\AppData\Local\Temp\d9c601e7df7beef67f5baea78cc47fb92488218b3b9faee5b020b6d16667c13b.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\AppData\Local\Temp\3582-490\d9c601e7df7beef67f5baea78cc47fb92488218b3b9faee5b020b6d16667c13b.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\d9c601e7df7beef67f5baea78cc47fb92488218b3b9faee5b020b6d16667c13b.exe"
      2⤵
      • Executes dropped EXE
      PID:3700

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\d9c601e7df7beef67f5baea78cc47fb92488218b3b9faee5b020b6d16667c13b.exe

          Filesize

          1.4MB

          MD5

          e2cd5a49584f174f5d41706a9874b1d9

          SHA1

          476d23e91669132eb552dcc9629668b760d3df42

          SHA256

          312e469b5010236d583e1e28a95ae5b08f3dc680f5a14f19bb7770f2cabcb9e8

          SHA512

          d39c22ee8018f3a991cf38c8085d619dd4f61e8e71092a1ca9f15d7275f86e8b6ebfb71b844d642692310b16685705fc50c3ce1817a9eb0e901366f802d02ae8

        • C:\Users\Admin\AppData\Local\Temp\3582-490\d9c601e7df7beef67f5baea78cc47fb92488218b3b9faee5b020b6d16667c13b.exe

          Filesize

          1.4MB

          MD5

          e2cd5a49584f174f5d41706a9874b1d9

          SHA1

          476d23e91669132eb552dcc9629668b760d3df42

          SHA256

          312e469b5010236d583e1e28a95ae5b08f3dc680f5a14f19bb7770f2cabcb9e8

          SHA512

          d39c22ee8018f3a991cf38c8085d619dd4f61e8e71092a1ca9f15d7275f86e8b6ebfb71b844d642692310b16685705fc50c3ce1817a9eb0e901366f802d02ae8