Analysis

  • max time kernel
    205s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 17:58

General

  • Target

    41ee3425773490f2a882dd0ea3805bf355a4840d116c8f98fad0c63b5b61406e.exe

  • Size

    176KB

  • MD5

    641a5a3c7b5d107ee369592cbb1b1d9b

  • SHA1

    d17e6ff2a92432a16b7483b6cf1ae2d8337f884c

  • SHA256

    41ee3425773490f2a882dd0ea3805bf355a4840d116c8f98fad0c63b5b61406e

  • SHA512

    2e6e775af2a31386ac86474d19b852c8817e66752a38bb1d0e2d33c28795d8ed94b0e1200b1f70cd925de1b0bbf9369287446d738979980cedbc1dd50b8253b3

  • SSDEEP

    3072:sr85CGcK8LbTBqxKNA5bL4U2DsSLA5aD5DRgS2l6JI0WGIghCSJI0WGIghCa:k9JKib1qkDzpG6JI0W27JI0W2z

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41ee3425773490f2a882dd0ea3805bf355a4840d116c8f98fad0c63b5b61406e.exe
    "C:\Users\Admin\AppData\Local\Temp\41ee3425773490f2a882dd0ea3805bf355a4840d116c8f98fad0c63b5b61406e.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\3582-490\41ee3425773490f2a882dd0ea3805bf355a4840d116c8f98fad0c63b5b61406e.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\41ee3425773490f2a882dd0ea3805bf355a4840d116c8f98fad0c63b5b61406e.exe"
      2⤵
      • Executes dropped EXE
      PID:4592

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\41ee3425773490f2a882dd0ea3805bf355a4840d116c8f98fad0c63b5b61406e.exe

          Filesize

          136KB

          MD5

          8171da874a1f308f70538f9396701d8a

          SHA1

          120cfbf7c91681fbf40f4651fb6f16fe88f85da1

          SHA256

          7c491a045a5d1cda0aee7490ea66d9e6af73ba9b688890241ae14371ffcc578d

          SHA512

          fb8a663c774ff8a3bc2b6bbecee94cb48284494b355ed7e607048e9bc29565889c2fb0105058eca85eee4d87517af8d7b2230338c15d321cda087d9ab9986f01

        • C:\Users\Admin\AppData\Local\Temp\3582-490\41ee3425773490f2a882dd0ea3805bf355a4840d116c8f98fad0c63b5b61406e.exe

          Filesize

          136KB

          MD5

          8171da874a1f308f70538f9396701d8a

          SHA1

          120cfbf7c91681fbf40f4651fb6f16fe88f85da1

          SHA256

          7c491a045a5d1cda0aee7490ea66d9e6af73ba9b688890241ae14371ffcc578d

          SHA512

          fb8a663c774ff8a3bc2b6bbecee94cb48284494b355ed7e607048e9bc29565889c2fb0105058eca85eee4d87517af8d7b2230338c15d321cda087d9ab9986f01