Analysis
-
max time kernel
141s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 02:39
Static task
static1
Behavioral task
behavioral1
Sample
383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe
Resource
win10v2004-20221111-en
General
-
Target
383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe
-
Size
733KB
-
MD5
18e67930a20cde9e27ac3169615b8abc
-
SHA1
8c36f92233be12440c62aa71b47b8f92fe4eec7e
-
SHA256
383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f
-
SHA512
431339f98539e75e97745a1efbdc194156f331821ba62f95961b4ea8b1906f31459b4fe96cdca249115a51a0003bd8d22db51ded29775f4a3894b05f88c1f031
-
SSDEEP
12288:qhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aTA25b8jyrSG:qRmJkcoQricOIQxiZY1iaTA2pJB
Malware Config
Signatures
-
Detect Neshta payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002314b-133.dat family_neshta behavioral2/files/0x000700000002314b-134.dat family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DLL Files Fixer Activator.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
pid Process 1996 DLL Files Fixer Activator.exe 3920 conhost.exe 3996 DLL Files Fixer Activator.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation DLL Files Fixer Activator.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe DLL Files Fixer Activator.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE DLL Files Fixer Activator.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com DLL Files Fixer Activator.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" DLL Files Fixer Activator.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3996 DLL Files Fixer Activator.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1960 wrote to memory of 1996 1960 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 86 PID 1960 wrote to memory of 1996 1960 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 86 PID 1960 wrote to memory of 1996 1960 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 86 PID 1960 wrote to memory of 3920 1960 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 88 PID 1960 wrote to memory of 3920 1960 383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe 88 PID 1996 wrote to memory of 3996 1996 DLL Files Fixer Activator.exe 89 PID 1996 wrote to memory of 3996 1996 DLL Files Fixer Activator.exe 89 PID 1996 wrote to memory of 3996 1996 DLL Files Fixer Activator.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe"C:\Users\Admin\AppData\Local\Temp\383a473a44c5b8009f91f15340634fe3786dd2e57cdd677f45505aa622d03c8f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe"C:\Users\Admin\AppData\Local\Temp\DLL Files Fixer Activator.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\DLL Files Fixer Activator.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"2⤵
- Executes dropped EXE
PID:3920
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD5a81137304bc201ac1b9a557675f68168
SHA16e3a1e82ff71821e0663ff3211c713f9ce166dd2
SHA2564b4d14f262bddbd4ef91519694a813e0d640d13ef3122ecf6aae2a0c12d8ba86
SHA5122bab7eb32599beee8995e1a901c4de327eac770b8bb7a7656658d31b5ab061f4d0bdae160975199246aac92b99e2683c0879649cc7cad9b1d59bdc338b9d68ec
-
Filesize
644KB
MD5a81137304bc201ac1b9a557675f68168
SHA16e3a1e82ff71821e0663ff3211c713f9ce166dd2
SHA2564b4d14f262bddbd4ef91519694a813e0d640d13ef3122ecf6aae2a0c12d8ba86
SHA5122bab7eb32599beee8995e1a901c4de327eac770b8bb7a7656658d31b5ab061f4d0bdae160975199246aac92b99e2683c0879649cc7cad9b1d59bdc338b9d68ec
-
Filesize
685KB
MD5db26308a86da5a41d83b67e96a2293b7
SHA1316760d73b2145d80d93cf754cc33ddeb2f3d439
SHA256b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a
SHA51212854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3
-
Filesize
685KB
MD5db26308a86da5a41d83b67e96a2293b7
SHA1316760d73b2145d80d93cf754cc33ddeb2f3d439
SHA256b83c8a68e3f965fb22785bea54765698fd7eb41c9fe981cfec051f49fabef51a
SHA51212854dbeed87c892731abbee4b2c96570731e17f74d108d31da52d02dfbb3210f79fb803fb17c313fb2c17f8361ff041497b41b445053c39e3c7734e451040f3
-
Filesize
29KB
MD5f322709921ddf81c7ef639e8c53862ca
SHA19c2506c58e39d322a5fa2473ec9ec61f7ded5dd4
SHA256ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858
SHA512e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0
-
Filesize
29KB
MD5f322709921ddf81c7ef639e8c53862ca
SHA19c2506c58e39d322a5fa2473ec9ec61f7ded5dd4
SHA256ef7b903dafffa373c1db602575336883c5ff4da69fc08fc73ab27ee402b4e858
SHA512e9f1300d6d7b53015190271b6bdf8c847cca0a6a9754942353de5575912e30bfac2b6fa48708a1ed1dfcb7ad20bf6af344d9121435fa7ce66bc527a57e47cac0