Analysis
-
max time kernel
161s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 12:26
Static task
static1
Behavioral task
behavioral1
Sample
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
Resource
win10v2004-20220812-en
General
-
Target
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
-
Size
9.1MB
-
MD5
71d1b7ce025e5d50d245d777cf47b2ea
-
SHA1
41ff2c2f863df5e52c8ab28705cf1df1f633f15c
-
SHA256
b9806db6959eaf756dd803b51495ab2d9b2ef4aa0b7a902b268d07ab7af15748
-
SHA512
c2e065cb471365981b043b19aabc79a8572a39c14edcb7da8cc9a6afb9cb18a4620dcf7ff41a223a575aaf4a8800196255a4398fea4dff98fa8f315b4ea675f1
-
SSDEEP
196608:SAiDgpcQXledaHtC5/hABhZAbhKhnD7vyVGLi+Y3nZ/yy:fpcQXiNhChZAbhK2yipp
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exepid process 5020 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Drops file in Windows directory 1 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process File opened for modification C:\Windows\svchost.com B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exepid process 5020 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe 5020 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exedescription pid process target process PID 3436 wrote to memory of 5020 3436 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe PID 3436 wrote to memory of 5020 3436 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe PID 3436 wrote to memory of 5020 3436 B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe"C:\Users\Admin\AppData\Local\Temp\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exeFilesize
9.1MB
MD59068a5a384c8acb0d0c1bab38255c649
SHA11c5b3fd96add72a8d2add834268cddb98e7e70be
SHA256d14d615e906c4ef4f9e2baddea5696913485b6828eea2780eed4fb1f0f537f4a
SHA512457c63ae42d8e34647294156bd06a98b2ad6c2f8bdfbedec73b7959408a9376a4bf487cb4b43b932f92f93c5e7989dab147082e62e8df660b3486e57adab3834
-
C:\Users\Admin\AppData\Local\Temp\3582-490\B9806DB6959EAF756DD803B51495AB2D9B2EF4AA0B7A9.exeFilesize
9.1MB
MD59068a5a384c8acb0d0c1bab38255c649
SHA11c5b3fd96add72a8d2add834268cddb98e7e70be
SHA256d14d615e906c4ef4f9e2baddea5696913485b6828eea2780eed4fb1f0f537f4a
SHA512457c63ae42d8e34647294156bd06a98b2ad6c2f8bdfbedec73b7959408a9376a4bf487cb4b43b932f92f93c5e7989dab147082e62e8df660b3486e57adab3834
-
memory/5020-132-0x0000000000000000-mapping.dmp