Analysis

  • max time kernel
    156s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2022 11:22

General

  • Target

    7d669f874028b993c8730dba69cb32e36aa665426fa8244a7e3d0fcab7b6b5a6.exe

  • Size

    899KB

  • MD5

    1c171fab1e78fa70a01ee21e30975f0a

  • SHA1

    f92145b312ec8d0ef148824b1fd6839f54b3f2ce

  • SHA256

    7d669f874028b993c8730dba69cb32e36aa665426fa8244a7e3d0fcab7b6b5a6

  • SHA512

    9245e565bb4e8b8b78d0ad950c424df866343b3101e3a6a168abd1363173aa27c0605087c1090d5d8dee7d5ac5ea0bb0e00b189f9900d4d5e90408a16e8e7f6c

  • SSDEEP

    24576:Q7v1HTNnk4A6EfEuCqwWFjSkI25Wc++kND7J:QxTNnk4EEuCqwDkjC+63J

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d669f874028b993c8730dba69cb32e36aa665426fa8244a7e3d0fcab7b6b5a6.exe
    "C:\Users\Admin\AppData\Local\Temp\7d669f874028b993c8730dba69cb32e36aa665426fa8244a7e3d0fcab7b6b5a6.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4460
    • C:\Users\Admin\AppData\Local\Temp\3582-490\7d669f874028b993c8730dba69cb32e36aa665426fa8244a7e3d0fcab7b6b5a6.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\7d669f874028b993c8730dba69cb32e36aa665426fa8244a7e3d0fcab7b6b5a6.exe"
      2⤵
      • Executes dropped EXE
      PID:2280

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\7d669f874028b993c8730dba69cb32e36aa665426fa8244a7e3d0fcab7b6b5a6.exe

    Filesize

    858KB

    MD5

    8c00b0841860115c3b439bf40d19fbb9

    SHA1

    72445912e2c95fd9b42383a0b3e206cb5041fcb2

    SHA256

    50d1d74f015406fd5037a098848421c6887d09a8f14b115d10a7f1de24686244

    SHA512

    4f639351808989fe9609e5031272a4361e916bd553cffef2b39aa7890393d1db7febe6d62fe71caf2a3d15b84bad9f930a39a353cfd0475adde4b8bdbccd92c7

  • C:\Users\Admin\AppData\Local\Temp\3582-490\7d669f874028b993c8730dba69cb32e36aa665426fa8244a7e3d0fcab7b6b5a6.exe

    Filesize

    858KB

    MD5

    8c00b0841860115c3b439bf40d19fbb9

    SHA1

    72445912e2c95fd9b42383a0b3e206cb5041fcb2

    SHA256

    50d1d74f015406fd5037a098848421c6887d09a8f14b115d10a7f1de24686244

    SHA512

    4f639351808989fe9609e5031272a4361e916bd553cffef2b39aa7890393d1db7febe6d62fe71caf2a3d15b84bad9f930a39a353cfd0475adde4b8bdbccd92c7

  • memory/2280-132-0x0000000000000000-mapping.dmp