Analysis
-
max time kernel
166s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 17:58
Behavioral task
behavioral1
Sample
2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe
Resource
win10v2004-20220812-en
General
-
Target
2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe
-
Size
230KB
-
MD5
630ba5592e53294429594cc95848cbb0
-
SHA1
245f6075d4e7f4411abc5319a80999606dc5c0b1
-
SHA256
2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b
-
SHA512
80a4517567ad4c28ac7c4591b6997ca9b9efc28975ca9e42b43499f7932de0379f02821b29af54162bdc6cdde9ff1003cb191dbefdaf3ce1def9da7cd067307b
-
SSDEEP
3072:sr85Cn7Ej5pY4WCmZwmNStxKuHbzsqO30hBe9JZN/avJrx0+/tOQ+:k9n7ElpY4WCJOEhBeDj0JF7
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
pid Process 224 2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1384 wrote to memory of 224 1384 2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe 84 PID 1384 wrote to memory of 224 1384 2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe"C:\Users\Admin\AppData\Local\Temp\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe"2⤵
- Executes dropped EXE
PID:224
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe
Filesize189KB
MD53a417c5bb5d624d54265eeb9c638d4cb
SHA145c35c9456273948756fe70490e1c0cac8b75723
SHA2562220b8f4d11849b1b9abd5ba634ef7afa8bcfa4d0174d636eec349c080425ab6
SHA5129cd476b6adea02cc101ade405c360f2bfed1f46cf03335d5be4db1c8dc5f6b4e08dd1206e874e46016b950c74e34f7a3a276973698af4e8a62d80d204b2f4790
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2da493e755264e80ac6ba0cb79f71d75c9bdbc8adceac9b559ad077f2e241e4b.exe
Filesize189KB
MD53a417c5bb5d624d54265eeb9c638d4cb
SHA145c35c9456273948756fe70490e1c0cac8b75723
SHA2562220b8f4d11849b1b9abd5ba634ef7afa8bcfa4d0174d636eec349c080425ab6
SHA5129cd476b6adea02cc101ade405c360f2bfed1f46cf03335d5be4db1c8dc5f6b4e08dd1206e874e46016b950c74e34f7a3a276973698af4e8a62d80d204b2f4790