Analysis

  • max time kernel
    141s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 02:39

General

  • Target

    383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe

  • Size

    733KB

  • MD5

    18e67930a20cde9e27ac3169615b8abc

  • SHA1

    8c36f92233be12440c62aa71b47b8f92fe4eec7e

  • SHA256

    383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f

  • SHA512

    431339f98539e75e97745a1efbdc194156f331821ba62f95961b4ea8b1906f31459b4fe96cdca249115a51a0003bd8d22db51ded29775f4a3894b05f88c1f031

  • SSDEEP

    12288:qhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aTA25b8jyrSG:qRmJkcoQricOIQxiZY1iaTA2pJB

Malware Config

Signatures

  • Detect Neshta payload 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe
    "C:\Users\Admin\AppData\Local\Temp\383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe
      "C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3996
    • C:\Users\Admin\AppData\Local\Temp\conhost.exe
      "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
      2⤵
      • Executes dropped EXE
      PID:3920

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe

    Filesize

    644KB

    MD5

    a81137304bc201ac1b9a557675f68168

    SHA1

    6e3a1e82ff71821e0663ff3211c713f9ce166dd2

    SHA256

    4b4d14f262bddbd4ef91519694a813e0d640d13ef3122ecf6aae2a0c12d8ba86

    SHA512

    2bab7eb32599beee8995e1a901c4de327eac770b8bb7a7656658d31b5ab061f4d0bdae160975199246aac92b99e2683c0879649cc7cad9b1d59bdc338b9d68ec

  • C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe

    Filesize

    644KB

    MD5

    a81137304bc201ac1b9a557675f68168

    SHA1

    6e3a1e82ff71821e0663ff3211c713f9ce166dd2

    SHA256

    4b4d14f262bddbd4ef91519694a813e0d640d13ef3122ecf6aae2a0c12d8ba86

    SHA512

    2bab7eb32599beee8995e1a901c4de327eac770b8bb7a7656658d31b5ab061f4d0bdae160975199246aac92b99e2683c0879649cc7cad9b1d59bdc338b9d68ec

  • C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe

    Filesize

    685KB

    MD5

    db26308a86da5a41d83b67e96a2293b7

    SHA1

    316760d73b2145d80d93cf754cc33ddeb2f3d439

    SHA256

    b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a

    SHA512

    12854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3

  • C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe

    Filesize

    685KB

    MD5

    db26308a86da5a41d83b67e96a2293b7

    SHA1

    316760d73b2145d80d93cf754cc33ddeb2f3d439

    SHA256

    b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a

    SHA512

    12854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe

    Filesize

    29KB

    MD5

    f322709921ddf81c7ef639e8c53862ca

    SHA1

    9c2506c58e39d322a5fa2473ec9ec61f7ded5dd4

    SHA256

    ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858

    SHA512

    e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe

    Filesize

    29KB

    MD5

    f322709921ddf81c7ef639e8c53862ca

    SHA1

    9c2506c58e39d322a5fa2473ec9ec61f7ded5dd4

    SHA256

    ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858

    SHA512

    e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0

  • memory/3920-143-0x00007FFF6D700000-0x00007FFF6E136000-memory.dmp

    Filesize

    10.2MB