Analysis
-
max time kernel
211s -
max time network
232s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 12:05
Behavioral task
behavioral1
Sample
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe
Resource
win10v2004-20221111-en
General
-
Target
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe
-
Size
205KB
-
MD5
667a7e3e0d7d443a3019b9d49c905161
-
SHA1
b990f98250c5ac88afa9e4647c229f8ae561b4f7
-
SHA256
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7
-
SHA512
467d313e19d72bf339e2bd8db3eae8dd5d026986d7914a135ea37373778b7f77be6e592dc22d8ed37be75416ab63be5bb460d5d7831d78d2ff6fd4529c3dda5a
-
SSDEEP
3072:sr85CjClo932sLu7NDcBk6tt1uvpYzWAbs5:k9jClo9msLuBgvAmyAbC
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exepid process 4936 a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe vmprotect behavioral2/memory/4936-136-0x0000000000400000-0x0000000000429000-memory.dmp vmprotect behavioral2/memory/4936-135-0x0000000000400000-0x0000000000429000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe -
Drops file in Windows directory 1 IoCs
Processes:
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exedescription ioc process File opened for modification C:\Windows\svchost.com a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exedescription pid process target process PID 2636 wrote to memory of 4936 2636 a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe PID 2636 wrote to memory of 4936 2636 a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe PID 2636 wrote to memory of 4936 2636 a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe"C:\Users\Admin\AppData\Local\Temp\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exeFilesize
165KB
MD54f88bef9204d347c0d1c99d7be7baae8
SHA1f86c4ef16233c330d0d0a7a6644237856c96952f
SHA2565dbd4ed8d49d8993855c592445b581441e63aa42fe8adca5bd6331ebc96b91a5
SHA512a2c0dbf44fe0bac79a321cd7052cbab41357bd05986cbe17cc860d0499329f9d90ddf62fe6dd2e62fc54114ac10175bdcdd6455c968177ae814e4df4fa91e443
-
C:\Users\Admin\AppData\Local\Temp\3582-490\a11bd4f0f5773e8022d3e2e544644f410d4b49b8405f0631273583870a7ceeb7.exeFilesize
165KB
MD54f88bef9204d347c0d1c99d7be7baae8
SHA1f86c4ef16233c330d0d0a7a6644237856c96952f
SHA2565dbd4ed8d49d8993855c592445b581441e63aa42fe8adca5bd6331ebc96b91a5
SHA512a2c0dbf44fe0bac79a321cd7052cbab41357bd05986cbe17cc860d0499329f9d90ddf62fe6dd2e62fc54114ac10175bdcdd6455c968177ae814e4df4fa91e443
-
memory/4936-132-0x0000000000000000-mapping.dmp
-
memory/4936-136-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4936-135-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB