Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 00:22
Static task
static1
Behavioral task
behavioral1
Sample
794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe
-
Size
918KB
-
MD5
681ee92300c1b1d3daacbdbae5c68510
-
SHA1
2532dd6b415f108236827f8b8b9fcbac54214c1a
-
SHA256
794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4
-
SHA512
398078aab6ef501d3d5b683a1c5b118185b78cd14a1b21f9609df7f60f44b13b48115a5f72756eee3dccff50b6e42006a98d72780734dc180758a0c2beccfab1
-
SSDEEP
24576:L5jgiri7a4HKvkTgXuquveY+W2o8oT3ezMrl9cekcHhXh9HJUiWUXsmqsqzl87at:F0iriNHKvkTgXuquveY+W2o8oT3ezMrq
Score
10/10
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
pid Process 2680 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe -
Loads dropped DLL 1 IoCs
pid Process 2680 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5032 wrote to memory of 2680 5032 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe 82 PID 5032 wrote to memory of 2680 5032 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe 82 PID 5032 wrote to memory of 2680 5032 794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe"C:\Users\Admin\AppData\Local\Temp\794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe
Filesize878KB
MD55a4d834ac6e5f6999037db7487f1cf85
SHA164d749688f340e96c10225bd53f303b2fbe66e52
SHA2561631f289a8b5c6c52ffaf74349ae00e1c76589034e36c5bbbc1d51cf311cc264
SHA512541abad0deb46bb8d62ec271a9254399a57da8866aafe96ed1eb8440048dccf4730990fe778a31d683127d1805e01193c80995336e3bae5f26a230b4ea1bb0c4
-
C:\Users\Admin\AppData\Local\Temp\3582-490\794e1729e8ec304e04ffd9fed333c2c3b5fa014481f115f98f54d47debc87da4.exe
Filesize878KB
MD55a4d834ac6e5f6999037db7487f1cf85
SHA164d749688f340e96c10225bd53f303b2fbe66e52
SHA2561631f289a8b5c6c52ffaf74349ae00e1c76589034e36c5bbbc1d51cf311cc264
SHA512541abad0deb46bb8d62ec271a9254399a57da8866aafe96ed1eb8440048dccf4730990fe778a31d683127d1805e01193c80995336e3bae5f26a230b4ea1bb0c4
-
Filesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64