Analysis
-
max time kernel
160s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 18:35
Behavioral task
behavioral1
Sample
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
Resource
win10v2004-20220812-en
General
-
Target
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
-
Size
1.0MB
-
MD5
49c06ada1e8434d06291d3616203b8ac
-
SHA1
51e2e7f3dea1a6e0422e77a76083257620ee500d
-
SHA256
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf
-
SHA512
dacfc11670e440f5f319ff9bf0d521de94e1aa4c0120aeec35c7b40a1565186c681628cc2d7bcc3050ecb3c8d056ea29b072705b5c14b8e7be21c3d4fc6a7c21
-
SSDEEP
768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJL3rDv/aDfzekIfvnj1+h9/z:JxqjQ+P04wsmJCA3E7Ifvj1+h
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exepid process 1848 c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exedescription ioc process File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\msedge.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe -
Drops file in Windows directory 1 IoCs
Processes:
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exedescription ioc process File opened for modification C:\Windows\svchost.com c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2340 1848 WerFault.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe -
Modifies registry class 1 IoCs
Processes:
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exedescription pid process target process PID 2448 wrote to memory of 1848 2448 c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe PID 2448 wrote to memory of 1848 2448 c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe PID 2448 wrote to memory of 1848 2448 c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe"C:\Users\Admin\AppData\Local\Temp\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\3582-490\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe"2⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1883⤵
- Program crash
PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1848 -ip 18481⤵PID:4496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exeFilesize
992KB
MD57e9c4033730d704faccd1ca0669b212d
SHA11e52dd897742361d7c497d19212a6aa12dd3f247
SHA256409278a4ee415b3c8144c0e720e913d17b571155bb04a8f868b5af2a534bef50
SHA5126fb609a8cf2b68ad818d5bdc51cac747d7046692a00f50e09b0c14626d9de278a5791f0b8111e7889cb0dd32bae6f4bb3d43bdf554d6eb6f270eea803e9f4493
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exeFilesize
992KB
MD57e9c4033730d704faccd1ca0669b212d
SHA11e52dd897742361d7c497d19212a6aa12dd3f247
SHA256409278a4ee415b3c8144c0e720e913d17b571155bb04a8f868b5af2a534bef50
SHA5126fb609a8cf2b68ad818d5bdc51cac747d7046692a00f50e09b0c14626d9de278a5791f0b8111e7889cb0dd32bae6f4bb3d43bdf554d6eb6f270eea803e9f4493
-
memory/1848-132-0x0000000000000000-mapping.dmp
-
memory/1848-135-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1848-136-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB