Analysis
-
max time kernel
207s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
12-10-2022 09:58
General
-
Target
2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
-
Size
97KB
-
MD5
54c2b90fd9364cd39cecff8ab112b825
-
SHA1
96c0c98dcce84e3bbec643083ce675664173bfd2
-
SHA256
2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba
-
SHA512
2e243d990243a80908531f3dc8910df796be6c87b964fbd84192e8161463d4460b552b5136379e789741f80abddfe77e77e81c4dcca9057881959a0d9dc1f3ce
-
SSDEEP
1536:JxqjQ+P04wsmJCGf0sKkr0EU5NeRBl5PT/rx1mzwRMSTdLpJUM:sr85CG07QRrmzwR5Jx
Malware Config
Signatures
-
Detect Neshta payload 1 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"C:\Users\Admin\AppData\Local\Temp\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD50315ae9ac71bb7366887ccefd4ae80aa
SHA1a60fb81131fc39e52e1854d0dc9ca358bb1d9983
SHA256afd2d4ec293f67be46f6ad8bca6150867de652be66115ddd469ba8720fda40a7
SHA512b56f195532fd835d72e207d5b2032b43b76c03c3d6c0cbd21d9546ff81b21abd41dd4c85888c1c4c24c7048dca61c1a63488ae9a4b90d5801389e37612165a23
-
Filesize
56KB
MD50315ae9ac71bb7366887ccefd4ae80aa
SHA1a60fb81131fc39e52e1854d0dc9ca358bb1d9983
SHA256afd2d4ec293f67be46f6ad8bca6150867de652be66115ddd469ba8720fda40a7
SHA512b56f195532fd835d72e207d5b2032b43b76c03c3d6c0cbd21d9546ff81b21abd41dd4c85888c1c4c24c7048dca61c1a63488ae9a4b90d5801389e37612165a23
-
Filesize
56KB
MD50315ae9ac71bb7366887ccefd4ae80aa
SHA1a60fb81131fc39e52e1854d0dc9ca358bb1d9983
SHA256afd2d4ec293f67be46f6ad8bca6150867de652be66115ddd469ba8720fda40a7
SHA512b56f195532fd835d72e207d5b2032b43b76c03c3d6c0cbd21d9546ff81b21abd41dd4c85888c1c4c24c7048dca61c1a63488ae9a4b90d5801389e37612165a23
-
Filesize
5.8MB
MD544ae01d4d94a4bd85055e0cf9499a20f
SHA12df766f8349e777d92e389ccd623a196cab32a83
SHA25694ce6d8f25c16342e05bb370884bb57e65297c9c7dc731e04812ab6cc7796c11
SHA512ba2ca6ab23c43eb82bdcc035d871ff1e8438afba12e8b2a7759dbec12c189ab6242db758634767e807db78cc253c0f5998769f842ca602980eb076e36dc3daa4
-
-
-
-
-
-
-
-
-
-