Analysis
-
max time kernel
191s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 19:41
Behavioral task
behavioral1
Sample
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
Resource
win10v2004-20221111-en
General
-
Target
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
-
Size
229KB
-
MD5
7a9088fa597f6ac4750cff8a7a73f1f2
-
SHA1
adbaf9fe8988e6434e38f37218309ee9c438bb42
-
SHA256
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f
-
SHA512
9614a8d407446e0239cd5fb584849c34a2651ca9628c2cfccaab7e163ec4b9290896cf74f99edcc95d621b8ae5c66b523e00c7b8ec402a4dbbb21d2f43a51ad0
-
SSDEEP
3072:sr85CsP19Lhx49Z6J//sLm5Awtk8E7AljslrcujXD7HgHHh:k9sP19Lh/WpWkxAljxh
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exepid process 1464 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe -
Drops file in Program Files directory 14 IoCs
Processes:
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe -
Drops file in Windows directory 2 IoCs
Processes:
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exedescription ioc process File opened for modification C:\Windows\svchost.com 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe File created C:\Windows\FONTS\eudcadm.tte 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exepid process 1464 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exedescription pid process target process PID 4204 wrote to memory of 1464 4204 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe PID 4204 wrote to memory of 1464 4204 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe PID 4204 wrote to memory of 1464 4204 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe"C:\Users\Admin\AppData\Local\Temp\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\3582-490\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exeFilesize
188KB
MD5799961190a2deb65b180a46f1e7aa0a6
SHA13d2fe33e2ea5d145c2ad08f5b6c2cc5bd56d5a69
SHA25699fd37c1bed425b0a5687eca2da51da8b9ae4e230a4684240fd63455373b3001
SHA512b193c34712058f94c693baf4234b87fc5e7e0c91f143f379b97f564bbf4fafa61f502b5bead5fba57f859fd81f010c11b7db095e4daedac1ff08a5d0fa70eb12
-
C:\Users\Admin\AppData\Local\Temp\3582-490\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exeFilesize
188KB
MD5799961190a2deb65b180a46f1e7aa0a6
SHA13d2fe33e2ea5d145c2ad08f5b6c2cc5bd56d5a69
SHA25699fd37c1bed425b0a5687eca2da51da8b9ae4e230a4684240fd63455373b3001
SHA512b193c34712058f94c693baf4234b87fc5e7e0c91f143f379b97f564bbf4fafa61f502b5bead5fba57f859fd81f010c11b7db095e4daedac1ff08a5d0fa70eb12
-
memory/1464-132-0x0000000000000000-mapping.dmp