Analysis
-
max time kernel
204s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:56
Behavioral task
behavioral1
Sample
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
Resource
win10v2004-20221111-en
General
-
Target
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
-
Size
196KB
-
MD5
cb081dd3495d1dc3fbdbe23d0b9ce457
-
SHA1
eab376077eac115f1c31c5c5c8cc31f66b1bbed6
-
SHA256
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188
-
SHA512
8c590c2ba25150f4f057d62b33ba55bad98a71fb41e7270494f4b419839e4a7ca65314248ef649f83296d134d0c879d4fa8410dc9b86c22e009bc2477fed4dbe
-
SSDEEP
6144:k9PgMU2x3OgTZu79vSdEVNm48uu8673prh/SAA6:qZhudSdEVNm48uu8673prh/S76
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exesvchost.compid process 3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe 3652 svchost.com -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdte.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winupdte.exe\"" 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe -
Drops file in Program Files directory 28 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.com -
Drops file in Windows directory 3 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exedescription pid process Token: SeDebugPrivilege 3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exepid process 3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exesvchost.comcmd.exedescription pid process target process PID 2376 wrote to memory of 3040 2376 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe PID 2376 wrote to memory of 3040 2376 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe PID 2376 wrote to memory of 3040 2376 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe PID 3040 wrote to memory of 3652 3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe svchost.com PID 3040 wrote to memory of 3652 3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe svchost.com PID 3040 wrote to memory of 3652 3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe svchost.com PID 3652 wrote to memory of 4024 3652 svchost.com cmd.exe PID 3652 wrote to memory of 4024 3652 svchost.com cmd.exe PID 3652 wrote to memory of 4024 3652 svchost.com cmd.exe PID 4024 wrote to memory of 4384 4024 cmd.exe PING.EXE PID 4024 wrote to memory of 4384 4024 cmd.exe PING.EXE PID 4024 wrote to memory of 4384 4024 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"C:\Users\Admin\AppData\Local\Temp\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"&"C:\Users\Admin\AppData\Local\Temp\winupdte.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"&"C:\Users\Admin\AppData\Local\Temp\winupdte.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 35⤵
- Runs ping.exe
PID:4384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exeFilesize
156KB
MD57a29980745aab6bf019ad7243987d67f
SHA103dc181b91d6b0321ae84fd6942fb9e95457057c
SHA25668f64dde2d2d22a328fd55b86d015f414c487a357a3ce1d706231bb251c01760
SHA512773cfdeeac28cca5835e79bae42cab1c7ea622427af87cd1cd669618c6b0c63219ff7e1bf1f30b1ab31c7dce18664e811f9b67fa1c7069fcd2ceab861a848a63
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exeFilesize
156KB
MD57a29980745aab6bf019ad7243987d67f
SHA103dc181b91d6b0321ae84fd6942fb9e95457057c
SHA25668f64dde2d2d22a328fd55b86d015f414c487a357a3ce1d706231bb251c01760
SHA512773cfdeeac28cca5835e79bae42cab1c7ea622427af87cd1cd669618c6b0c63219ff7e1bf1f30b1ab31c7dce18664e811f9b67fa1c7069fcd2ceab861a848a63
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/3040-132-0x0000000000000000-mapping.dmp
-
memory/3040-135-0x0000000073ED0000-0x0000000074481000-memory.dmpFilesize
5.7MB
-
memory/3040-140-0x0000000073ED0000-0x0000000074481000-memory.dmpFilesize
5.7MB
-
memory/3652-136-0x0000000000000000-mapping.dmp
-
memory/4024-139-0x0000000000000000-mapping.dmp
-
memory/4384-142-0x0000000000000000-mapping.dmp