Analysis

  • max time kernel
    166s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2022, 17:58

General

  • Target

    2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe

  • Size

    230KB

  • MD5

    630ba5592e53294429594cc95848cbb0

  • SHA1

    245f6075d4e7f4411abc5319a80999606dc5c0b1

  • SHA256

    2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b

  • SHA512

    80a4517567ad4c28ac7c4591b6997ca9b9efc28975ca9e42b43499f7932de0379f02821b29af54162bdc6cdde9ff1003cb191dbefdaf3ce1def9da7cd067307b

  • SSDEEP

    3072:sr85Cn7Ej5pY4WCmZwmNStxKuHbzsqO30hBe9JZN/avJrx0+/tOQ+:k9n7ElpY4WCJOEhBeDj0JF7

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe
    "C:\Users\Admin\AppData\Local\Temp\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe"
      2⤵
      • Executes dropped EXE
      PID:224

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe

          Filesize

          189KB

          MD5

          3a417c5bb5d624d54265eeb9c638d4cb

          SHA1

          45c35c9456273948756fe70490e1c0cac8b75723

          SHA256

          2220b8f4d11849b1b9abd5ba634ef7afa8bcfa4d0174d636eec349c080425ab6

          SHA512

          9cd476b6adea02cc101ade405c360f2bfed1f46cf03335d5be4db1c8dc5f6b4e08dd1206e874e46016b950c74e34f7a3a276973698af4e8a62d80d204b2f4790

        • C:\Users\Admin\AppData\Local\Temp\3582-490\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe

          Filesize

          189KB

          MD5

          3a417c5bb5d624d54265eeb9c638d4cb

          SHA1

          45c35c9456273948756fe70490e1c0cac8b75723

          SHA256

          2220b8f4d11849b1b9abd5ba634ef7afa8bcfa4d0174d636eec349c080425ab6

          SHA512

          9cd476b6adea02cc101ade405c360f2bfed1f46cf03335d5be4db1c8dc5f6b4e08dd1206e874e46016b950c74e34f7a3a276973698af4e8a62d80d204b2f4790