Analysis
-
max time kernel
107s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 08:03
Static task
static1
Behavioral task
behavioral1
Sample
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe
Resource
win10v2004-20221111-en
General
-
Target
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe
-
Size
180KB
-
MD5
eb2e9b858a7f8c25087a82a79653066e
-
SHA1
18a0f6d4945cf4125ba23bd6d3a6f6c114675f21
-
SHA256
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c
-
SHA512
c501cdddb754e1aa98d2e4d5e60280366c05ef53e49a8f56bf67b00c4ad45f19985412c155fa244d91d566f7c1462adf6d9b81d728dc8bb8e25b44a8b127936f
-
SSDEEP
1536:yxqjQ+P04wsZLnDrCvfViTwxnOIZr3bKsKw3fGVGinQh6gogv9bPAK4BkI1iN8:zr8WDrC1BasVf/Vzogv9bv4BkI1s8
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exepid process 1220 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe -
Loads dropped DLL 3 IoCs
Processes:
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exepid process 1308 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe 1308 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe 1308 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe -
Drops file in Windows directory 1 IoCs
Processes:
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exedescription ioc process File opened for modification C:\Windows\svchost.com 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exedescription pid process target process PID 1308 wrote to memory of 1220 1308 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe PID 1308 wrote to memory of 1220 1308 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe PID 1308 wrote to memory of 1220 1308 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe PID 1308 wrote to memory of 1220 1308 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe 6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe"C:\Users\Admin\AppData\Local\Temp\6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exe"2⤵
- Executes dropped EXE
PID:1220
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exeFilesize
140KB
MD54f5ca907d9b9d760528bf30dba85ba47
SHA1e59075594200d3855d2a0b90d106098cd5e44970
SHA2567b706c048d6c3bb80f5d629e6614b56d36aae3c2ffbc392ab36c6328a0e77641
SHA512a8caf74ea31266f3c93cc22e58ac1e320b8ad1c5bf194d983b78dff100c72c770b1bbfa375c5ca68eae5f65026d02178872303d1bd67a57f71ec51bb139919ec
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exeFilesize
140KB
MD54f5ca907d9b9d760528bf30dba85ba47
SHA1e59075594200d3855d2a0b90d106098cd5e44970
SHA2567b706c048d6c3bb80f5d629e6614b56d36aae3c2ffbc392ab36c6328a0e77641
SHA512a8caf74ea31266f3c93cc22e58ac1e320b8ad1c5bf194d983b78dff100c72c770b1bbfa375c5ca68eae5f65026d02178872303d1bd67a57f71ec51bb139919ec
-
\Users\Admin\AppData\Local\Temp\3582-490\6ac8a790062b14482471d3905eafecd331e37356be2415b4979cbfa140e0dd8c.exeFilesize
140KB
MD54f5ca907d9b9d760528bf30dba85ba47
SHA1e59075594200d3855d2a0b90d106098cd5e44970
SHA2567b706c048d6c3bb80f5d629e6614b56d36aae3c2ffbc392ab36c6328a0e77641
SHA512a8caf74ea31266f3c93cc22e58ac1e320b8ad1c5bf194d983b78dff100c72c770b1bbfa375c5ca68eae5f65026d02178872303d1bd67a57f71ec51bb139919ec
-
memory/1220-57-0x0000000000000000-mapping.dmp
-
memory/1308-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB