Overview

overview

10

Static

static

10

e8013dbbfa...4a.exe

windows7-x64

10

e8013dbbfa...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 17:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe

  • Size

    89KB

  • MD5

    a6bd87588e880f65273180ce92385fa1

  • SHA1

    2c28e8a0557deb38741dc0eb805754814c81b7de

  • SHA256

    e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a

  • SHA512

    d91f946d5703d57b8cd72c7a92727e3f3182106ab644847b5f5b8db1b58ccc10f5a5168d3b8ca49beb61a384d3bca8a478596fbc8d55836955470517032cfcd2

  • SSDEEP

    1536:JxqjQ+P04wsmJCvTT2sd5sxaS318HxZATvnsblYO4/+:sr85CHRd5Kr318RZEvsbyOk+

Score
10/10
makopneshtapersistenceransomwarespywarestealer

Malware Config

Signatures

  • Detect Neshta payload 14 IoCs
  • MAKOP ransomware payload 1 IoCs
  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe
    "C:\Users\Admin\AppData\Local\Temp\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\3582-490\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe"
      2⤵
      • Executes dropped EXE
      PID:3156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
    Filesize

    2.4MB

    MD5

    8ffc3bdf4a1903d9e28b99d1643fc9c7

    SHA1

    919ba8594db0ae245a8abd80f9f3698826fc6fe5

    SHA256

    8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

    SHA512

    0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\e8013dbbfa2755e6cb962d3babb23c9d3f0f7ca615c887cd2cdbd9011cd5d44a.exe
    Filesize

    49KB

    MD5

    02a575b9f4c0018b36c1ddf6eac3020c

    SHA1

    5135f093a792f6e36d36f353b845ceaa0419d380

    SHA256

    81eaa2c5cbcb5997f6880834ce09ce80aedc68510f1b8cd61030ea925344b829

    SHA512

    41291fb341857db845caec441131ae815b5a24d787f00e7dcdb2fdae86d674a4f1f4cfbb938ef0475ac51ed456697482bb13febdc92d9a3dfbbac59e01845f6b

    Download Submit

  • memory/4864-101-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-96-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-97-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-100-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-63-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-102-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-103-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-104-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-105-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-106-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-107-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-108-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4864-109-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download