Analysis
-
max time kernel
178s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:56
Behavioral task
behavioral1
Sample
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
Resource
win10v2004-20221111-en
General
-
Target
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
-
Size
159KB
-
MD5
5e1327f7036a7a432da69e47e61fc7b0
-
SHA1
a886f14639dc174864330e5a4344b56f9d43b467
-
SHA256
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a
-
SHA512
cd14759c2f012357ed70112e8947edac6ec6f80e546ad5dd5d1eebfb01b85f9775ea24f6e5bf6a0e61fd0ead1e118cf5f9f23e1f3c89d941519ffa907b0fa116
-
SSDEEP
3072:sr85CZxwGdGq0ElNTO+HmVfchlsugJDoPysVinrRqBYMmJohcX8J:k9TwGd1DN/H8f9oPysViSDXhcX8J
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\Windows\svchost.com family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 5 IoCs
Processes:
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exesvchost.comServer.exesvchost.comChrome.exepid process 5100 d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe 5040 svchost.com 4948 Server.exe 3068 svchost.com 3196 Chrome.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exeServer.exed08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe -
Drops file in Windows directory 6 IoCs
Processes:
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exesvchost.comServer.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File created C:\Windows\Chrome.exe Server.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exed08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exeServer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings Server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exed08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exesvchost.comServer.exesvchost.comdescription pid process target process PID 1148 wrote to memory of 5100 1148 d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe PID 1148 wrote to memory of 5100 1148 d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe PID 1148 wrote to memory of 5100 1148 d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe PID 5100 wrote to memory of 5040 5100 d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe svchost.com PID 5100 wrote to memory of 5040 5100 d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe svchost.com PID 5100 wrote to memory of 5040 5100 d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe svchost.com PID 5040 wrote to memory of 4948 5040 svchost.com Server.exe PID 5040 wrote to memory of 4948 5040 svchost.com Server.exe PID 5040 wrote to memory of 4948 5040 svchost.com Server.exe PID 4948 wrote to memory of 3068 4948 Server.exe svchost.com PID 4948 wrote to memory of 3068 4948 Server.exe svchost.com PID 4948 wrote to memory of 3068 4948 Server.exe svchost.com PID 3068 wrote to memory of 3196 3068 svchost.com Chrome.exe PID 3068 wrote to memory of 3196 3068 svchost.com Chrome.exe PID 3068 wrote to memory of 3196 3068 svchost.com Chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe"C:\Users\Admin\AppData\Local\Temp\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\3582-490\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp\Server.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\Chrome.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\Chrome.exeC:\Windows\Chrome.exe6⤵
- Executes dropped EXE
PID:3196
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
Filesize118KB
MD5d25bdff6d3851ab65de0cdcfdde00374
SHA1edf43f729b4ec9f234f46b59ff3c1e0205481779
SHA256e34dd42c0134047595b0075b8bd90acb42676ff54cf941812d47c341787d2a4d
SHA512d4cee253069fc95d049c93b0269b6f62f191dbef96ece3fffb6d63702daf35160fb468f756acf2e0ee44bb81e997aa6f5c1d8e62cfa560e0f61aab098bb02d98
-
C:\Users\Admin\AppData\Local\Temp\3582-490\d08e310d6308ee311f146bc4679b5518604947ce0aff9fd16fdb7ffd8322150a.exe
Filesize118KB
MD5d25bdff6d3851ab65de0cdcfdde00374
SHA1edf43f729b4ec9f234f46b59ff3c1e0205481779
SHA256e34dd42c0134047595b0075b8bd90acb42676ff54cf941812d47c341787d2a4d
SHA512d4cee253069fc95d049c93b0269b6f62f191dbef96ece3fffb6d63702daf35160fb468f756acf2e0ee44bb81e997aa6f5c1d8e62cfa560e0f61aab098bb02d98
-
Filesize
78KB
MD502329f96ab9ff4b04a08a2766605b63a
SHA1988fc4dbd1f74f31c019ac70024eae243e9787c2
SHA2561c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb
SHA512dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160
-
Filesize
78KB
MD502329f96ab9ff4b04a08a2766605b63a
SHA1988fc4dbd1f74f31c019ac70024eae243e9787c2
SHA2561c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb
SHA512dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160
-
Filesize
78KB
MD502329f96ab9ff4b04a08a2766605b63a
SHA1988fc4dbd1f74f31c019ac70024eae243e9787c2
SHA2561c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb
SHA512dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160
-
Filesize
78KB
MD502329f96ab9ff4b04a08a2766605b63a
SHA1988fc4dbd1f74f31c019ac70024eae243e9787c2
SHA2561c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb
SHA512dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160
-
Filesize
78KB
MD502329f96ab9ff4b04a08a2766605b63a
SHA1988fc4dbd1f74f31c019ac70024eae243e9787c2
SHA2561c6b57edb0682a7f1c4fba81386438fefdda983a25d3835265f1307f89e1e7eb
SHA512dc49273aede628e5b8b2c4fb7eb39467cbb410b4d5b36691a89bb1931e6df221e1c200926cd116f849aedad1e7a1358e2a70474fbeb1c31c81f3e2e262ffd160
-
Filesize
46B
MD54a4acd32aceb74f3bb94d561db309dcc
SHA139459b7563df4ef4f643a7afbc3dfc9de8909711
SHA2562718ec016cb6d868bffa655e7fae1aa7c17405419c4e014acc5ece8e90290085
SHA51249e41b126f663121b455911f880d7288f8fc943a715f217a5afeb99904de04a8b68524f7ca3fa9c02c8a6c19e5fc10bdf8ef7d7ed975f8e48a485a0e49145c44
-
Filesize
40KB
MD564eb93f53a52d9e1ae26e4dee2b3a165
SHA1f7d40ef03687619c00e8d267876ef8a2a9e692cf
SHA256f005d859de5777c8dd71b697018d47eeab63134ad14e975226c0a192039c3430
SHA5121004d46c82181ab0c5f4a3326082deb2b6d47907d6998f755e56a9b28c3baf93170c307c32d059ec1c742cbe1029f96a6d3cf635cba216c142e1d7dadde7a7d9
-
Filesize
40KB
MD564eb93f53a52d9e1ae26e4dee2b3a165
SHA1f7d40ef03687619c00e8d267876ef8a2a9e692cf
SHA256f005d859de5777c8dd71b697018d47eeab63134ad14e975226c0a192039c3430
SHA5121004d46c82181ab0c5f4a3326082deb2b6d47907d6998f755e56a9b28c3baf93170c307c32d059ec1c742cbe1029f96a6d3cf635cba216c142e1d7dadde7a7d9
-
Filesize
40KB
MD564eb93f53a52d9e1ae26e4dee2b3a165
SHA1f7d40ef03687619c00e8d267876ef8a2a9e692cf
SHA256f005d859de5777c8dd71b697018d47eeab63134ad14e975226c0a192039c3430
SHA5121004d46c82181ab0c5f4a3326082deb2b6d47907d6998f755e56a9b28c3baf93170c307c32d059ec1c742cbe1029f96a6d3cf635cba216c142e1d7dadde7a7d9
-
Filesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099