Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
09-12-2022 05:34
General
-
Target
78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
-
Size
265KB
-
MD5
3ac0d935228460fdc38bdab692d71b0c
-
SHA1
d08f753af5b5d9be3352495189be6fd4914ad8e1
-
SHA256
78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
-
SHA512
04376fc469808504a8071f0b9baa35c4f922d7b69c4d4c6e77309022f95cf916a80b758a6733154f36e8be59d928b93903eec47a6df32e96b2ef3b4b6f0fde54
-
SSDEEP
6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN
Malware Config
Extracted
C:\README.html
us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>KCueoWKQaSt+yRRD81dTYB0nKzQVeSTtCiaoXzRn8WQosi8BBOZKikri9+AMHnkD
Signatures
-
Detect Neshta payload 12 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Venus
Venus is a ransomware first seen in 2022.
-
Venus Ransomware 8 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 5 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe"C:\Users\Admin\AppData\Local\Temp\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe"C:\Windows\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe" g g g o n e1233⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe/C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\System32\cmd.exe/c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- Runs ping.exe
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 2440 -ip 24401⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2440 -s 24641⤵
- Program crash
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5576410de51e63c3b5442540c8fdacbee
SHA18de673b679e0fee6e460cbf4f21ab728e41e0973
SHA2563f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db
-
Filesize
328KB
MD539c8a4c2c3984b64b701b85cb724533b
SHA1c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00
SHA256888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d
SHA512f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2
-
Filesize
4.8MB
MD5642c66aafd5192c9452811f6098243b7
SHA186d7b67589a434ebb4d9be31e9d46b5eb53a5e3f
SHA2560627b73598cf8d0fbd3b18928a36f9eabc719fd48cc2277d22f7c5ea9c7cae69
SHA51231810526b200594712fafbe0f5e8fcb1c4aed6be76915b0a92004a2e4b3015a44c8c45a4684fbc177fd60ffca7de1bdb80df9ae8c0a8db078b406bbdf0bdeb4b
-
Filesize
2.4MB
MD5eff8feeb05775414e5c6c60b3947e553
SHA171b5bfca4f8136df877f0bc7a4bea41d2cdd105d
SHA256da6530e544bd07c27ae0e7910ca0afe20df1c42af62df0be654277a50d80293d
SHA5121a1667cf05d895ed7215dbd9e6bb7a3e85794be5cd8df56f4a3f8122de21c0a693e1c6f71518ce5dd640e0644b74f15a2f37ead7e73cb7ffcc1e1263955fe986
-
Filesize
87KB
MD5f64b0888d723f0acbbfa5d4de770ca8e
SHA19331dfd7c70cb2a2fa6b857fae1e62da118ef0b3
SHA2561c02bd179fd114a89ba9c2d099a147a82f8c6cb5c1b9ba28e5e20a2dac99025c
SHA512a7bbb83b409fe18d4defcf242a5c70c581ad9f9324660ca6035bfa81c34e9ba1ab7bbff5c39e3e3687d9e2da76cc402ca7629214a1011603c38aae4747fc4f22
-
Filesize
4.0MB
MD5bb6525c957008b42d9f6ba49fe14e335
SHA15bda58701698f52f9db84901c45b17d03ebbd6e7
SHA256222897174f8b5dfa575a6c4de7b1c9ae3156ba2980600148efca7709c68aad57
SHA5127aaadbf97a9f429b3872a65e3836dce51ef8fc6d5e289cd4cff49b8f5e0dc4ac94df25a081fec29c89c10bdf03b52f05a3a267f72a9ac4645d141d4c05e53822
-
Filesize
183KB
MD59dfcdd1ab508b26917bb2461488d8605
SHA14ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA5121afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137
-
Filesize
132KB
MD511e1f9fb5290c9a9eab96321ab590420
SHA19934fc7eec2747e45ee09d7bc1a8b831721e2724
SHA2561a55e4bc3c0b5292d96af7fe13f51ff272a2875e7a52c54138e17758b1a063a1
SHA5124a4d85187000b3789cb61e1445a8bb8a3ef4b8a7550dc133c1fbe63994384b94c71c79fbffd97141629c374ff0ea028471039597a3f6e7e4b3b618d389988a28
-
Filesize
254KB
MD54ddc609ae13a777493f3eeda70a81d40
SHA18957c390f9b2c136d37190e32bccae3ae671c80a
SHA25616d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA5129d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5
-
Filesize
386KB
MD58c753d6448183dea5269445738486e01
SHA1ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA5124f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be
-
Filesize
125KB
MD5fd1cbdc041d3513bd2dc370f61b8ea14
SHA1ecfc0b8762b2e6b6502f000772f120f757b528db
SHA256389dfea4794d54aff2d7da8e04c9350c5e99ea113d07912d4a8b0e21e5087184
SHA5125eae83d91c2ebbf1a10648ff8f6c66c8427ed9e553d0968429910404ef86506418d4433a85ceee6ab9eb167d5f1861f2123e87befe6b2024766c6ca9641e20c5
-
Filesize
142KB
MD592dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA2563e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31
-
Filesize
278KB
MD512c29dd57aa69f45ddd2e47620e0a8d9
SHA1ba297aa3fe237ca916257bc46370b360a2db2223
SHA25622a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488
-
Filesize
92KB
MD5176436d406fd1aabebae353963b3ebcf
SHA19ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA2562f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
225KB
MD58691dae21568faaeda49bcd640e1ad23
SHA1524b589ef403ff21cf040ef33c21b1d6d8235feb
SHA2560a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be
SHA512870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d
-
Filesize
225KB
MD58691dae21568faaeda49bcd640e1ad23
SHA1524b589ef403ff21cf040ef33c21b1d6d8235feb
SHA2560a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be
SHA512870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d
-
Filesize
225KB
MD58691dae21568faaeda49bcd640e1ad23
SHA1524b589ef403ff21cf040ef33c21b1d6d8235feb
SHA2560a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be
SHA512870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d
-
Filesize
225KB
MD58691dae21568faaeda49bcd640e1ad23
SHA1524b589ef403ff21cf040ef33c21b1d6d8235feb
SHA2560a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be
SHA512870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d
-
Filesize
5.1MB
MD5acf8b472014f28493a644f5aec230ae2
SHA1aea5a024dcbd9de9c2971fcaee1a4159a7151116
SHA256e211dc8b01218ca4a9e1802d0158e9adfd307f81a8c64d84bf381ea31e0a99e0
SHA5124e4683a425fac7d035ee7cd62bd53513cef62d8a637fcc38669a811e477f81b2279b6823f15cd183d178d26b8de4fb06cb0e7542b5e13a05f2ae0fba11b4fea7
-
-
-
-
-
Filesize
248KB
-
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-