Overview

overview

10

Static

static

10

cbdfaf7c90...ad.exe

windows7-x64

10

cbdfaf7c90...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2022 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

  • Size

    710KB

  • MD5

    674a54ed8c9614aea4808f6a09cc2236

  • SHA1

    10e78765c5b245a6d19e77f54cb40bcdbb91ddcd

  • SHA256

    cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad

  • SHA512

    fb513afef9f44834e6461645a7f3121a343f07074f91b1e999faabeca332898f45426a67e70944ad979f80aa149eff5006547cc7b2ccb06af1a08b08df537ae1

  • SSDEEP

    12288:XA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DXKD/KeXQF:wuf4wTuV2Ux3uIZeUBi2Te6HWCKrKea

Score
10/10
medusalockerneshtaevasionpersistenceransomwarespywarestealertrojan

Malware Config

Signatures

  • Detect Neshta payload 1 IoCs
  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
    "C:\Users\Admin\AppData\Local\Temp\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2004
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1176
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1996
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:392
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1312
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:520
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:844
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D308E3B8-3E2E-43EB-8EF7-5FD6059CE6C0} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:700
    • C:\Users\Admin\AppData\Roaming\svhost.exe
      C:\Users\Admin\AppData\Roaming\svhost.exe
      2⤵
      • Executes dropped EXE
      PID:1776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
    Filesize

    864KB

    MD5

    fa9fbacb725e3c38850a20232f2bf4b6

    SHA1

    4dd5c86538af0e79ce5d194176b960317efb1370

    SHA256

    b04eddca3cc4094a12f1dae4b0ae1ed151c8617adf0a94eff27fd41da80d12ba

    SHA512

    491f00cb6746b301c50def1f369a3f86364535ea8d7a6f9f07c3e5a68ef0e6cd5188e672dfbd18735702a846ddaa1739fcde9f3eb67e802d6b32c9162a73c191

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
    Filesize

    669KB

    MD5

    ac546514c037b432430bebc8e3884dad

    SHA1

    f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

    SHA256

    b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

    SHA512

    b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
    Filesize

    669KB

    MD5

    ac546514c037b432430bebc8e3884dad

    SHA1

    f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

    SHA256

    b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

    SHA512

    b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    669KB

    MD5

    ac546514c037b432430bebc8e3884dad

    SHA1

    f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

    SHA256

    b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

    SHA512

    b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    669KB

    MD5

    ac546514c037b432430bebc8e3884dad

    SHA1

    f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

    SHA256

    b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

    SHA512

    b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
    Filesize

    669KB

    MD5

    ac546514c037b432430bebc8e3884dad

    SHA1

    f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

    SHA256

    b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

    SHA512

    b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

    Download Submit

  • \Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    669KB

    MD5

    ac546514c037b432430bebc8e3884dad

    SHA1

    f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

    SHA256

    b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

    SHA512

    b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

    Download Submit

  • memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download