Analysis

  • max time kernel
    177s
  • max time network
    234s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 17:58

General

  • Target

    339dd085673d2ef2d32aa71c9e6c4b54a21c1018cadb0df06d2ddccf422333e2.exe

  • Size

    180KB

  • MD5

    6b9b65f95d2526da68868b3b81a07193

  • SHA1

    5efd4d18aeec4db04211b3feb20f298da29e0d5d

  • SHA256

    339dd085673d2ef2d32aa71c9e6c4b54a21c1018cadb0df06d2ddccf422333e2

  • SHA512

    86a8742e0fafecd8ee2a9d900f72cbdd3af422ff6fb69474cd20601c89068c0c9c8b622859b7d05744300714d975d0c8236c7aff65c1cd71a8c4c5baaac352d0

  • SSDEEP

    3072:sr85Cut31fwvJbQNrExmudZ5D83a8pG/+:k9ut31fwBtxmw83a8k2

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\339dd085673d2ef2d32aa71c9e6c4b54a21c1018cadb0df06d2ddccf422333e2.exe
    "C:\Users\Admin\AppData\Local\Temp\339dd085673d2ef2d32aa71c9e6c4b54a21c1018cadb0df06d2ddccf422333e2.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\3582-490\339dd085673d2ef2d32aa71c9e6c4b54a21c1018cadb0df06d2ddccf422333e2.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\339dd085673d2ef2d32aa71c9e6c4b54a21c1018cadb0df06d2ddccf422333e2.exe"
      2⤵
      • Executes dropped EXE
      PID:1532

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\339dd085673d2ef2d32aa71c9e6c4b54a21c1018cadb0df06d2ddccf422333e2.exe

          Filesize

          140KB

          MD5

          22c6959e82a802b56d7502f995d5e213

          SHA1

          834f9e2549f754e744e0f25c988cceb7b4fb940f

          SHA256

          5aeefc5d95be89636598e5e4671a0b9ff71c7b7179379102ae3a6ea797859108

          SHA512

          c0592d37983c829ce51833fb6eaa13a726e97af8856f49fc94dd2b27fc393de2c7e0cadb94d155c289df082fcbba84a05f50dcc630bf66f18f06e2ff8b682eed

        • C:\Users\Admin\AppData\Local\Temp\3582-490\339dd085673d2ef2d32aa71c9e6c4b54a21c1018cadb0df06d2ddccf422333e2.exe

          Filesize

          140KB

          MD5

          22c6959e82a802b56d7502f995d5e213

          SHA1

          834f9e2549f754e744e0f25c988cceb7b4fb940f

          SHA256

          5aeefc5d95be89636598e5e4671a0b9ff71c7b7179379102ae3a6ea797859108

          SHA512

          c0592d37983c829ce51833fb6eaa13a726e97af8856f49fc94dd2b27fc393de2c7e0cadb94d155c289df082fcbba84a05f50dcc630bf66f18f06e2ff8b682eed