Overview

overview

10

Static

static

10

a97a31e1a6...50.exe

windows7-x64

10

a97a31e1a6...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2023 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe

  • Size

    96KB

  • MD5

    7f72105941c8f10b6260ef142b95965f

  • SHA1

    13024decb538649cec1f7f125907648c7ecf6b29

  • SHA256

    a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850

  • SHA512

    ca9a962b4d33721adfbec8a1c3988cf201c76eaffccbd2931fca4a9ef11007b664b3dda9c8cedfed170bcc716db0e84c313edd706ad8372e01b24b92ff4c97b9

  • SSDEEP

    1536:JxqjQ+P04wsmJCUrrdFyYv6gJZNeRBl5PT/rx1mzwRMSTdLpJ0M:sr85CUvdFq0QRrmzwR5JR

Score
10/10
neshtaphobosevasionpersistenceransomwarespyware

Malware Config

Signatures

  • Detect Neshta payload 14 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe
    "C:\Users\Admin\AppData\Local\Temp\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3408
      • C:\Users\Admin\AppData\Local\Temp\3582-490\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe"
        3⤵
        • Executes dropped EXE
        PID:2320
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          4⤵
          • Modifies Windows Firewall
          PID:1860
        • C:\Windows\system32\netsh.exe
          netsh firewall set opmode mode=disable
          4⤵
          • Modifies Windows Firewall
          PID:4348
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4796
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3596
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3920
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:4112
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:3760
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4556
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4568
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4168
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2284

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
      Filesize

      2.4MB

      MD5

      8ffc3bdf4a1903d9e28b99d1643fc9c7

      SHA1

      919ba8594db0ae245a8abd80f9f3698826fc6fe5

      SHA256

      8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

      SHA512

      0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[F0237475-2939].[[email protected]].eking
      Filesize

      3.2MB

      MD5

      2bed39e72fe14d9a8dc51d5b89e22d17

      SHA1

      8504e0ab54ff1fb70d9ea5b2c9d38f3227f39db7

      SHA256

      75cf630129c28b2128e0e750238519dd7832dc4c41326955c689f42c53f107e4

      SHA512

      b71a6d42dc46a0c3ea6f1b90e7e42a8eafa20822f094a20b91ab9669d3f5c1f149873acbb91f8876c0c07629c7749d272a6cc121b5dc95ef56687e537b7921d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe
      Filesize

      55KB

      MD5

      f9a10997982874520035e0c206712daf

      SHA1

      c76d65009f28c92c2aadd1ebf84fbe94005ed6ac

      SHA256

      b3568d9cba48a76ba9d9a2cc881ca5c21b59ca12278fb6aba5a06d9b1f1969e0

      SHA512

      78f4c00074e494e46c3dcd285b06deaec4dd1287f6798df1f6e0e1c42d7f9fdc89d97a37f74790b973fccfe4183fd9c49e5862325e26ccfbf15b3a7f87efb337

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe
      Filesize

      55KB

      MD5

      f9a10997982874520035e0c206712daf

      SHA1

      c76d65009f28c92c2aadd1ebf84fbe94005ed6ac

      SHA256

      b3568d9cba48a76ba9d9a2cc881ca5c21b59ca12278fb6aba5a06d9b1f1969e0

      SHA512

      78f4c00074e494e46c3dcd285b06deaec4dd1287f6798df1f6e0e1c42d7f9fdc89d97a37f74790b973fccfe4183fd9c49e5862325e26ccfbf15b3a7f87efb337

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe
      Filesize

      55KB

      MD5

      f9a10997982874520035e0c206712daf

      SHA1

      c76d65009f28c92c2aadd1ebf84fbe94005ed6ac

      SHA256

      b3568d9cba48a76ba9d9a2cc881ca5c21b59ca12278fb6aba5a06d9b1f1969e0

      SHA512

      78f4c00074e494e46c3dcd285b06deaec4dd1287f6798df1f6e0e1c42d7f9fdc89d97a37f74790b973fccfe4183fd9c49e5862325e26ccfbf15b3a7f87efb337

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\a97a31e1a6c785b845feafd57b5d9474590005eb1ee0dba482335206c1d0b850.exe
      Filesize

      55KB

      MD5

      f9a10997982874520035e0c206712daf

      SHA1

      c76d65009f28c92c2aadd1ebf84fbe94005ed6ac

      SHA256

      b3568d9cba48a76ba9d9a2cc881ca5c21b59ca12278fb6aba5a06d9b1f1969e0

      SHA512

      78f4c00074e494e46c3dcd285b06deaec4dd1287f6798df1f6e0e1c42d7f9fdc89d97a37f74790b973fccfe4183fd9c49e5862325e26ccfbf15b3a7f87efb337

      Download Submit

    • C:\odt\office2016setup.exe
      Filesize

      5.8MB

      MD5

      6625f8150f4507644fd526924a6d380f

      SHA1

      aa56569cd30c3bbc7cdfe8b4c90c3b23590c21bd

      SHA256

      e8dd224abb8d2c5673714437f7d8983c1cc5ecd02afcd46be91161c0092e4de8

      SHA512

      c2e24f9ce78406a92a7d94bb1bc6643a270640d6ad06b0e283afb1604c0643cf2eedbac2ac844022a8d257f0e2f308bfe3f727b7394f2dcd5d4110c5f7851348

      Download Submit

    • memory/2408-711-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-147-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-373-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-409-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-518-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-214-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-1120-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-1843-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-2157-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-2428-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-134-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2408-2829-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download