Analysis
-
max time kernel
152s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
25-11-2022 13:04
General
-
Target
35f6969f46bdfad60514dbd8e64368e3b6d13e0ff92f21f649fab69a80fcd7b0.exe
-
Size
430KB
-
MD5
f2fa726aa15a0bedc7de81cab3c2a5db
-
SHA1
a45ffdd8a301976719abe2f7400c0185b6662432
-
SHA256
35f6969f46bdfad60514dbd8e64368e3b6d13e0ff92f21f649fab69a80fcd7b0
-
SHA512
9413137d3eeb19a84b02ed8249074e1f1e6d2ff791786f682bd28ca32b3323c2980292b828023e9d01f82237fb2132f2632344cb625c631230f2c98b1f1c5b9b
-
SSDEEP
6144:k9+feVjBpeExgVTFSXFoMc5RhCaL37mwww0JwwmSnvYqm9nxLW0Bs/kSTiOWGr9U:RZlPzCy37h8cW7Kcc
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Program Files directory 45 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\35f6969f46bdfad60514dbd8e64368e3b6d13e0ff92f21f649fab69a80fcd7b0.exe"C:\Users\Admin\AppData\Local\Temp\35f6969f46bdfad60514dbd8e64368e3b6d13e0ff92f21f649fab69a80fcd7b0.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\35f6969f46bdfad60514dbd8e64368e3b6d13e0ff92f21f649fab69a80fcd7b0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\35f6969f46bdfad60514dbd8e64368e3b6d13e0ff92f21f649fab69a80fcd7b0.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 5483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2412 -ip 24121⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\35f6969f46bdfad60514dbd8e64368e3b6d13e0ff92f21f649fab69a80fcd7b0.exeFilesize
390KB
MD5a7a1af091ae0999c280e9ec9c5dd9cca
SHA15e21140a5020370e2489f95f1868e1da6873c6e0
SHA256c3e3ac828f51ea2c263904a398dd5bcfaf0d410793add67b08d738f054ea10a6
SHA512c4f3cb0732c1197f652d94121bdb7bf7199a0bedb2eb4f90a4f627e9b9527381674048f029d57d4b11490774743a56b9698385eabf85e0c6da18bc95a29cb2ee
-
C:\Users\Admin\AppData\Local\Temp\3582-490\35f6969f46bdfad60514dbd8e64368e3b6d13e0ff92f21f649fab69a80fcd7b0.exeFilesize
390KB
MD5a7a1af091ae0999c280e9ec9c5dd9cca
SHA15e21140a5020370e2489f95f1868e1da6873c6e0
SHA256c3e3ac828f51ea2c263904a398dd5bcfaf0d410793add67b08d738f054ea10a6
SHA512c4f3cb0732c1197f652d94121bdb7bf7199a0bedb2eb4f90a4f627e9b9527381674048f029d57d4b11490774743a56b9698385eabf85e0c6da18bc95a29cb2ee
-
memory/2412-132-0x0000000000000000-mapping.dmp
-
memory/2412-135-0x0000000000400000-0x00000000004E8000-memory.dmpFilesize
928KB