Analysis
-
max time kernel
156s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 12:26
Static task
static1
Behavioral task
behavioral1
Sample
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
Resource
win10v2004-20220812-en
General
-
Target
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
-
Size
9.1MB
-
MD5
71d1b7ce025e5d50d245d777cf47b2ea
-
SHA1
41ff2c2f863df5e52c8ab28705cf1df1f633f15c
-
SHA256
b9806db6959eaf756dd803b51495ab2d9b2ef4aa0b7a902b268d07ab7af15748
-
SHA512
c2e065cb471365981b043b19aabc79a8572a39c14edcb7da8cc9a6afb9cb18a4620dcf7ff41a223a575aaf4a8800196255a4398fea4dff98fa8f315b4ea675f1
-
SSDEEP
196608:SAiDgpcQXledaHtC5/hABhZAbhKhnD7vyVGLi+Y3nZ/yy:fpcQXiNhChZAbhK2yipp
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exepid process 1088 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Loads dropped DLL 2 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exepid process 952 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe 952 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Drops file in Windows directory 1 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process File opened for modification C:\Windows\svchost.com B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Modifies registry class 1 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exepid process 1088 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe 1088 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription pid process target process PID 952 wrote to memory of 1088 952 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe PID 952 wrote to memory of 1088 952 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe PID 952 wrote to memory of 1088 952 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe PID 952 wrote to memory of 1088 952 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe"C:\Users\Admin\AppData\Local\Temp\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exeFilesize
9.1MB
MD59068a5a384c8acb0d0c1bab38255c649
SHA11c5b3fd96add72a8d2add834268cddb98e7e70be
SHA256d14d615e906c4ef4f9e2baddea5696913485b6828eea2780eed4fb1f0f537f4a
SHA512457c63ae42d8e34647294156bd06a98b2ad6c2f8bdfbedec73b7959408a9376a4bf487cb4b43b932f92f93c5e7989dab147082e62e8df660b3486e57adab3834
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exeFilesize
9.1MB
MD59068a5a384c8acb0d0c1bab38255c649
SHA11c5b3fd96add72a8d2add834268cddb98e7e70be
SHA256d14d615e906c4ef4f9e2baddea5696913485b6828eea2780eed4fb1f0f537f4a
SHA512457c63ae42d8e34647294156bd06a98b2ad6c2f8bdfbedec73b7959408a9376a4bf487cb4b43b932f92f93c5e7989dab147082e62e8df660b3486e57adab3834
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exeFilesize
9.1MB
MD59068a5a384c8acb0d0c1bab38255c649
SHA11c5b3fd96add72a8d2add834268cddb98e7e70be
SHA256d14d615e906c4ef4f9e2baddea5696913485b6828eea2780eed4fb1f0f537f4a
SHA512457c63ae42d8e34647294156bd06a98b2ad6c2f8bdfbedec73b7959408a9376a4bf487cb4b43b932f92f93c5e7989dab147082e62e8df660b3486e57adab3834
-
memory/952-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1088-56-0x0000000000000000-mapping.dmp