Overview

overview

10

Static

static

10

a11bd4f0f5...b7.exe

windows7-x64

10

a11bd4f0f5...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    211s
  • max time network
    232s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe

  • Size

    205KB

  • MD5

    667a7e3e0d7d443a3019b9d49c905161

  • SHA1

    b990f98250c5ac88afa9e4647c229f8ae561b4f7

  • SHA256

    a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7

  • SHA512

    467d313e19d72bf339e2bd8db3eae8dd5d026986d7914a135ea37373778b7f77be6e592dc22d8ed37be75416ab63be5bb460d5d7831d78d2ff6fd4529c3dda5a

  • SSDEEP

    3072:sr85CjClo932sLu7NDcBk6tt1uvpYzWAbs5:k9jClo9msLuBgvAmyAbC

Score
10/10
neshtapersistencespywarevmprotect

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe
    "C:\Users\Admin\AppData\Local\Temp\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe"
    1⤵
    • Modifies system executable filetype association
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe"
      2⤵
      • Executes dropped EXE
      PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe
    Filesize

    165KB

    MD5

    4f88bef9204d347c0d1c99d7be7baae8

    SHA1

    f86c4ef16233c330d0d0a7a6644237856c96952f

    SHA256

    5dbd4ed8d49d8993855c592445b581441e63aa42fe8adca5bd6331ebc96b91a5

    SHA512

    a2c0dbf44fe0bac79a321cd7052cbab41357bd05986cbe17cc860d0499329f9d90ddf62fe6dd2e62fc54114ac10175bdcdd6455c968177ae814e4df4fa91e443

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe
    Filesize

    165KB

    MD5

    4f88bef9204d347c0d1c99d7be7baae8

    SHA1

    f86c4ef16233c330d0d0a7a6644237856c96952f

    SHA256

    5dbd4ed8d49d8993855c592445b581441e63aa42fe8adca5bd6331ebc96b91a5

    SHA512

    a2c0dbf44fe0bac79a321cd7052cbab41357bd05986cbe17cc860d0499329f9d90ddf62fe6dd2e62fc54114ac10175bdcdd6455c968177ae814e4df4fa91e443

    Download Submit
  • memory/4936-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4936-136-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/4936-135-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download