Analysis

  • max time kernel
    190s
  • max time network
    216s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2022, 21:17

General

  • Target

    90c0c39a39694067aa7fe4497358bed5b91c2772554216069e277bd4d6e5f9c9.exe

  • Size

    133KB

  • MD5

    419045da201bf3d61b24fd39024dfd50

  • SHA1

    8c534b0679d5332358a1eb03116b595155e2a81e

  • SHA256

    90c0c39a39694067aa7fe4497358bed5b91c2772554216069e277bd4d6e5f9c9

  • SHA512

    abdd9a6ef270932f7178587367eed145401b88e5fae6c0994f47d6556f49328e9a5b7496164ad3707d133ed0e2e10f609ad8c8945066bed7bc5c0faadff84404

  • SSDEEP

    3072:sr85Cfi5UJgfAZ8tTKOvdBtEnk8gIVphu:k9fXJgfAeazhu

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90c0c39a39694067aa7fe4497358bed5b91c2772554216069e277bd4d6e5f9c9.exe
    "C:\Users\Admin\AppData\Local\Temp\90c0c39a39694067aa7fe4497358bed5b91c2772554216069e277bd4d6e5f9c9.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Local\Temp\3582-490\90c0c39a39694067aa7fe4497358bed5b91c2772554216069e277bd4d6e5f9c9.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\90c0c39a39694067aa7fe4497358bed5b91c2772554216069e277bd4d6e5f9c9.exe"
      2⤵
      • Executes dropped EXE
      PID:832

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3582-490\90c0c39a39694067aa7fe4497358bed5b91c2772554216069e277bd4d6e5f9c9.exe

          Filesize

          92KB

          MD5

          21fdf02893648e543db64728d5437ab9

          SHA1

          8c329dfed12dd9866fa326d2e70a702eee0488b7

          SHA256

          9c5519a6209f593ed9045ba5411bd584debeb4f401def1bf1afdbd3e8e39266d

          SHA512

          1cccefdb5cdb1ca1930ae37b95bd369acda4c6a183fa2e7c3fb8cc8eb9efdabf2cf8204a357ad162dc7e021235537a32df38f8132c299df4b85907e4cf5c4712

        • C:\Users\Admin\AppData\Local\Temp\3582-490\90c0c39a39694067aa7fe4497358bed5b91c2772554216069e277bd4d6e5f9c9.exe

          Filesize

          92KB

          MD5

          21fdf02893648e543db64728d5437ab9

          SHA1

          8c329dfed12dd9866fa326d2e70a702eee0488b7

          SHA256

          9c5519a6209f593ed9045ba5411bd584debeb4f401def1bf1afdbd3e8e39266d

          SHA512

          1cccefdb5cdb1ca1930ae37b95bd369acda4c6a183fa2e7c3fb8cc8eb9efdabf2cf8204a357ad162dc7e021235537a32df38f8132c299df4b85907e4cf5c4712