Analysis
-
max time kernel
175s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
26-11-2022 20:54
General
-
Target
b55573d54c18a8ae6256082a2afae50f208fcd61ecc8a5ef1a2ddbd3b73fef8f.exe
-
Size
163KB
-
MD5
feccddaace6fecfd190c7ed21b46b028
-
SHA1
c970d6f679988e8f92ea26bb2771d129c9698899
-
SHA256
b55573d54c18a8ae6256082a2afae50f208fcd61ecc8a5ef1a2ddbd3b73fef8f
-
SHA512
c98e7122875a7bf0ed9256af045d7463d54719caa186535cd49bd9b5dd2d6c2e2f74d88982bcf4989cf7596bb3d9c146b5ca4116963b6c4c5ca04419ebe59dfc
-
SSDEEP
768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJOZWR7G4t1/RHcrvYXK+ZP+I5v7px9l:JxqjQ+P04wsmJCnKG4DRHcDAQI5v7px
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b55573d54c18a8ae6256082a2afae50f208fcd61ecc8a5ef1a2ddbd3b73fef8f.exe"C:\Users\Admin\AppData\Local\Temp\b55573d54c18a8ae6256082a2afae50f208fcd61ecc8a5ef1a2ddbd3b73fef8f.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b55573d54c18a8ae6256082a2afae50f208fcd61ecc8a5ef1a2ddbd3b73fef8f.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b55573d54c18a8ae6256082a2afae50f208fcd61ecc8a5ef1a2ddbd3b73fef8f.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD514d3b7b0f53047217bccb335f6e23498
SHA16ae46c7c2b14b33458a4b2e1a480b245c7d1c869
SHA256286e6b19471a5d5766d48852b6660d78e3aa6d19e624af23e76945550ca03b10
SHA512ab6b5b8a3d663ca0bf489bc305ebe2ac594d4fbd129578dfbd5b3de82e57a9f422a1db2d52a977cca404387f1c4d0c881652de2d7c78d714e6f14f958d5c7067
-
Filesize
122KB
MD514d3b7b0f53047217bccb335f6e23498
SHA16ae46c7c2b14b33458a4b2e1a480b245c7d1c869
SHA256286e6b19471a5d5766d48852b6660d78e3aa6d19e624af23e76945550ca03b10
SHA512ab6b5b8a3d663ca0bf489bc305ebe2ac594d4fbd129578dfbd5b3de82e57a9f422a1db2d52a977cca404387f1c4d0c881652de2d7c78d714e6f14f958d5c7067
-
-
Filesize
372KB
-
Filesize
372KB