Analysis
-
max time kernel
227s -
max time network
238s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 23:22
Behavioral task
behavioral1
Sample
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe
Resource
win10v2004-20221111-en
General
-
Target
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe
-
Size
206KB
-
MD5
51b572f2657e5ad15a3549641c35ad40
-
SHA1
4784ff024160258dd9db74d211d3dc0ed95d7c54
-
SHA256
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2
-
SHA512
805a50aae431fb2d67bcf89da8311720cbd3f1757c5263a0f087d78b1c3b393ae8ffada077914945b173db05155948a724ea2e13a6cc91c25f6e6866dfa76c8f
-
SSDEEP
3072:sr85C3btR1nCi6dcApMFA0GZZzgkxUOadTB2jgxkrIYhMZHZkTTDTIDQbS3hR:k9rtRNOcamDGT8eWFugxyhM0bSD
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exepid process 3884 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe -
Drops file in Windows directory 7 IoCs
Processes:
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exedescription ioc process File opened for modification C:\Windows\pss\system.ini.backup 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe File created C:\Windows\pss\system.ini.backup 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe File opened for modification C:\Windows\pss\win.ini.backup 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe File created C:\Windows\pss\win.ini.backup 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe File opened for modification C:\Windows\system.ini 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe File opened for modification C:\Windows\win.ini 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe File opened for modification C:\Windows\svchost.com 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exedescription pid process Token: SeShutdownPrivilege 3884 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exepid process 3884 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe 3884 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exedescription pid process target process PID 3788 wrote to memory of 3884 3788 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe PID 3788 wrote to memory of 3884 3788 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe PID 3788 wrote to memory of 3884 3788 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe 352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe"C:\Users\Admin\AppData\Local\Temp\352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exeFilesize
166KB
MD5a81135541c9d4ebce43efa8ad31395b4
SHA1c4e6cba41ebea2ead0278bcd80991f4e9c6c6a74
SHA25696cf8e21b7838d8162c68825bc8c4747a4380acb672ff73423cbea3ef5590e4b
SHA512b9dffc68a0c11535698345e1bbd58c82dc2a7a142aadd3d21c4f535eb191887340b30f93df1f484d2624b0d3aee4d0e9d52827b4a28c6e904c24d9e07115f768
-
C:\Users\Admin\AppData\Local\Temp\3582-490\352e1adc80b86bd668cd84f0adec4305789ce14ea7cd2a20091b52ae3b765ae2.exeFilesize
166KB
MD5a81135541c9d4ebce43efa8ad31395b4
SHA1c4e6cba41ebea2ead0278bcd80991f4e9c6c6a74
SHA25696cf8e21b7838d8162c68825bc8c4747a4380acb672ff73423cbea3ef5590e4b
SHA512b9dffc68a0c11535698345e1bbd58c82dc2a7a142aadd3d21c4f535eb191887340b30f93df1f484d2624b0d3aee4d0e9d52827b4a28c6e904c24d9e07115f768
-
memory/3884-132-0x0000000000000000-mapping.dmp