neshta | 5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2

Analysis

max time kernel
150s
max time network
103s
platform
windows7_x64
resource
win7-en-20210920
submitted
23-09-2021 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09876523456789.exe
Size

926KB
MD5

b8cdebc24a5ab6241373ae3bcc7d3053
SHA1

bb17815265e215c6de61489aca8019bb5ae473e0
SHA256

5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2
SHA512

b57809010853fce4520d4f0a144c5827f07e0105da22814480472d2d147006712867fcaead42e3aabaf88592344dad2ddca9771a5a616a105253cb5cd8b949e8

Score

10^/10

neshta xmrig evasion miner persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

09876523456789.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	09876523456789.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 8 IoCs

Processes:

09876523456789.exe09876523456789.exe 09876523456789.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
868	09876523456789.exe
984	09876523456789.exe
1236	09876523456789.exe
1224	icsys.icn.exe
1324	explorer.exe
888	spoolsv.exe
1584	svchost.exe
1216	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 18 IoCs

Processes:

09876523456789.exe09876523456789.exe09876523456789.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1044	09876523456789.exe
1044	09876523456789.exe
868	09876523456789.exe
984	09876523456789.exe
984	09876523456789.exe
868	09876523456789.exe
868	09876523456789.exe
1224	icsys.icn.exe
1224	icsys.icn.exe
1324	explorer.exe
1324	explorer.exe
888	spoolsv.exe
888	spoolsv.exe
1584	svchost.exe
1584	svchost.exe
1044	09876523456789.exe
1044	09876523456789.exe
1044	09876523456789.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 freegeoip.app
6 freegeoip.app
3 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

09876523456789.exe

description pid process target process

PID 984 set thread context of 1236 984 09876523456789.exe 09876523456789.exe

flow	ioc
5	freegeoip.app
6	freegeoip.app
3	checkip.dyndns.org

description	pid	process	target process
PID 984 set thread context of 1236	984	09876523456789.exe	09876523456789.exe

Drops file in Program Files directory 64 IoCs

Processes:

09876523456789.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	09876523456789.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	09876523456789.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	09876523456789.exe

Drops file in Windows directory 7 IoCs

Processes:

explorer.exe09876523456789.exeicsys.icn.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\svchost.com	09876523456789.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 14 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_2
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_2
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe	nsis_installer_1
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe	nsis_installer_2

Modifies registry class 1 IoCs

Processes:

09876523456789.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	09876523456789.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe09876523456789.exe

pid	process
1224	icsys.icn.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1584	svchost.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1236	09876523456789.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe
1324	explorer.exe
1584	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1324 explorer.exe
1584 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

09876523456789.exe

description pid process

Token: SeDebugPrivilege 1236 09876523456789.exe

pid	process
1324	explorer.exe
1584	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1236	09876523456789.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

09876523456789.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
868	09876523456789.exe
868	09876523456789.exe
1224	icsys.icn.exe
1224	icsys.icn.exe
1324	explorer.exe
1324	explorer.exe
888	spoolsv.exe
888	spoolsv.exe
1584	svchost.exe
1584	svchost.exe
1216	spoolsv.exe
1216	spoolsv.exe
1324	explorer.exe
1324	explorer.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

09876523456789.exe09876523456789.exe09876523456789.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1044 wrote to memory of 868	1044	09876523456789.exe	09876523456789.exe
PID 1044 wrote to memory of 868	1044	09876523456789.exe	09876523456789.exe
PID 1044 wrote to memory of 868	1044	09876523456789.exe	09876523456789.exe
PID 1044 wrote to memory of 868	1044	09876523456789.exe	09876523456789.exe
PID 868 wrote to memory of 984	868	09876523456789.exe	09876523456789.exe
PID 868 wrote to memory of 984	868	09876523456789.exe	09876523456789.exe
PID 868 wrote to memory of 984	868	09876523456789.exe	09876523456789.exe
PID 868 wrote to memory of 984	868	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 984 wrote to memory of 1236	984	09876523456789.exe	09876523456789.exe
PID 868 wrote to memory of 1224	868	09876523456789.exe	icsys.icn.exe
PID 868 wrote to memory of 1224	868	09876523456789.exe	icsys.icn.exe
PID 868 wrote to memory of 1224	868	09876523456789.exe	icsys.icn.exe
PID 868 wrote to memory of 1224	868	09876523456789.exe	icsys.icn.exe
PID 1224 wrote to memory of 1324	1224	icsys.icn.exe	explorer.exe
PID 1224 wrote to memory of 1324	1224	icsys.icn.exe	explorer.exe
PID 1224 wrote to memory of 1324	1224	icsys.icn.exe	explorer.exe
PID 1224 wrote to memory of 1324	1224	icsys.icn.exe	explorer.exe
PID 1324 wrote to memory of 888	1324	explorer.exe	spoolsv.exe
PID 1324 wrote to memory of 888	1324	explorer.exe	spoolsv.exe
PID 1324 wrote to memory of 888	1324	explorer.exe	spoolsv.exe
PID 1324 wrote to memory of 888	1324	explorer.exe	spoolsv.exe
PID 888 wrote to memory of 1584	888	spoolsv.exe	svchost.exe
PID 888 wrote to memory of 1584	888	spoolsv.exe	svchost.exe
PID 888 wrote to memory of 1584	888	spoolsv.exe	svchost.exe
PID 888 wrote to memory of 1584	888	spoolsv.exe	svchost.exe
PID 1584 wrote to memory of 1216	1584	svchost.exe	spoolsv.exe
PID 1584 wrote to memory of 1216	1584	svchost.exe	spoolsv.exe
PID 1584 wrote to memory of 1216	1584	svchost.exe	spoolsv.exe
PID 1584 wrote to memory of 1216	1584	svchost.exe	spoolsv.exe
PID 1584 wrote to memory of 1092	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1092	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1092	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1092	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1732	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1732	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1732	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1732	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1132	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1132	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1132	1584	svchost.exe	at.exe
PID 1584 wrote to memory of 1132	1584	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\09876523456789.exe
"C:\Users\Admin\AppData\Local\Temp\09876523456789.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe
c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984

\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe
c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\SysWOW64\at.exe
at 13:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:1092

C:\Windows\SysWOW64\at.exe
at 13:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:1732

C:\Windows\SysWOW64\at.exe
at 13:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
MD5
2fce217b06eab217e49e58ae373f8ddb

SHA1
3145657a134272e403320b87a2ef1df87ea9ab07

SHA256
dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91

SHA512
421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
MD5
bcc7a93ad8bad83eb4caf6228bf8ae6b

SHA1
c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

SHA256
cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

SHA512
a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
MD5
bcc7a93ad8bad83eb4caf6228bf8ae6b

SHA1
c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

SHA256
cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

SHA512
a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
MD5
8329f0288b6df014a04153c750b678db

SHA1
5fb72256bbfdde0e47928e4d1712722b0ab64439

SHA256
13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

SHA512
8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
MD5
cfd97063f21b585b7f4abe267298f6d1

SHA1
87aa494f51a7858048818ca784e9cbfd962e45d5

SHA256
d80859dc4ea6a674987a0ff80b113701076f2861a707a4b199f8e7b0c74cb248

SHA512
38ecd619867ca76607c6fd74ff05c53939f0be4e4da542a1d7077ea266971a2a9db50c346d58a5dd462dc37182b809dd45a20e5e38c7adeb969ed0ee71d5fef8

Download Submit
C:\Windows\system\explorer.exe
MD5
5b1da0d67621b3d0467e0148142745d6

SHA1
d093447c7c584e9f03282f219db74345c0884111

SHA256
2541efd96b72d7d4f3d0ba6d123368e7b8ef92b4a865214a20df936cf48b210f

SHA512
1315190b8e88315bb01c803d330909ecdec05079773ac005e791691b6e038804139d6a25ef9b63b64d487d9b65ed4fedde8153aa87d06e2a695dabd5b38cbe0d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
e6c9b8acbe46874f785f597259ebe071

SHA1
510bc65b7578ea6082d5baed4fe344d1cabb1c23

SHA256
f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848

SHA512
6ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc

Download Submit
C:\Windows\system\spoolsv.exe
MD5
e6c9b8acbe46874f785f597259ebe071

SHA1
510bc65b7578ea6082d5baed4fe344d1cabb1c23

SHA256
f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848

SHA512
6ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc

Download Submit
C:\Windows\system\svchost.exe
MD5
8ab0d16deeb98f242159b6378857adb1

SHA1
21b5560500bfc09443115d7c477f13d9f764d77a

SHA256
2e8eeee26e361940e5d2799dc848c20eeb49650bf85e2c42081ba1e2bdc9face

SHA512
f07329a816d40f0171a85d2b1326ad08eeef26819f84ae1192f9cfac0c423f29e9076827823d33cd1f081cf4f12526d33f03dddbc17fc03179fd545e3bb9dc7c

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe
MD5
8329f0288b6df014a04153c750b678db

SHA1
5fb72256bbfdde0e47928e4d1712722b0ab64439

SHA256
13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

SHA512
8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

Download Submit
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe
MD5
2fce217b06eab217e49e58ae373f8ddb

SHA1
3145657a134272e403320b87a2ef1df87ea9ab07

SHA256
dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91

SHA512
421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72

Download Submit
\??\c:\users\admin\appdata\local\temp\3582-490\09876523456789.exe
MD5
bcc7a93ad8bad83eb4caf6228bf8ae6b

SHA1
c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

SHA256
cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

SHA512
a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

Download Submit
\??\c:\windows\system\explorer.exe
MD5
5b1da0d67621b3d0467e0148142745d6

SHA1
d093447c7c584e9f03282f219db74345c0884111

SHA256
2541efd96b72d7d4f3d0ba6d123368e7b8ef92b4a865214a20df936cf48b210f

SHA512
1315190b8e88315bb01c803d330909ecdec05079773ac005e791691b6e038804139d6a25ef9b63b64d487d9b65ed4fedde8153aa87d06e2a695dabd5b38cbe0d

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
e6c9b8acbe46874f785f597259ebe071

SHA1
510bc65b7578ea6082d5baed4fe344d1cabb1c23

SHA256
f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848

SHA512
6ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc

Download Submit
\??\c:\windows\system\svchost.exe
MD5
8ab0d16deeb98f242159b6378857adb1

SHA1
21b5560500bfc09443115d7c477f13d9f764d77a

SHA256
2e8eeee26e361940e5d2799dc848c20eeb49650bf85e2c42081ba1e2bdc9face

SHA512
f07329a816d40f0171a85d2b1326ad08eeef26819f84ae1192f9cfac0c423f29e9076827823d33cd1f081cf4f12526d33f03dddbc17fc03179fd545e3bb9dc7c

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
MD5
2fce217b06eab217e49e58ae373f8ddb

SHA1
3145657a134272e403320b87a2ef1df87ea9ab07

SHA256
dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91

SHA512
421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
MD5
2fce217b06eab217e49e58ae373f8ddb

SHA1
3145657a134272e403320b87a2ef1df87ea9ab07

SHA256
dcc03ca5b2fcce59c03b279d100abfe39f0b1bba99187ce8fd706baa1e106a91

SHA512
421ae69e2381f6e07f1626c20f9b7fec8995c3bcfdc0abd9e45118c3db984997bfff373e2274ce5966a31013c806856df1a79ab9531d827a975ff26176e56d72

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
MD5
bcc7a93ad8bad83eb4caf6228bf8ae6b

SHA1
c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

SHA256
cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

SHA512
a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\09876523456789.exe
MD5
bcc7a93ad8bad83eb4caf6228bf8ae6b

SHA1
c7cc5a1b3e11fa3bf8a5b387190a5bc371c3f523

SHA256
cf956f8945da4247164dc3bfb243e6d56a721bed701a518cb9e3997505e11601

SHA512
a8d435d39f62488bf592171e1addd13c07fe7105bb844a7d0b3af1220fa6b916cba7272731b87b6c129be5fd5e1099923cdf700b6682e82774eee11c672bcc7f

Download Submit
\Users\Admin\AppData\Local\Temp\nsbB1D2.tmp\shbtviyozv.dll
MD5
b08548c50aeca632a4f589cf225be6e2

SHA1
102d9cb4a737eb6a0e130544f3aaf28603b199ac

SHA256
73d6764798d0afe045ef2dfd8c04d19fdaaa844ccd8beb8297025bca8bdb4cf0

SHA512
bb07aebac4284c457c99d36ccc1c1a8dcb8056c20ca5749f7bd20f9260cc974293ef0271fc6b311078569029c216f60fd470e0fc9adaef3a6a9b3c7b1f0ad94b

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
MD5
8329f0288b6df014a04153c750b678db

SHA1
5fb72256bbfdde0e47928e4d1712722b0ab64439

SHA256
13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

SHA512
8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
MD5
8329f0288b6df014a04153c750b678db

SHA1
5fb72256bbfdde0e47928e4d1712722b0ab64439

SHA256
13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

SHA512
8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
MD5
8329f0288b6df014a04153c750b678db

SHA1
5fb72256bbfdde0e47928e4d1712722b0ab64439

SHA256
13d0e98683b22102fdfa7d36a0a509c273c3901f6d20969d8ce2a217e3be274b

SHA512
8b586b39cb3a1944e16f791e1e637c3432ed382596f482f29f2845fb2803e29b929ced47c269ef305a2289c10202f0d8442cf16fd049ccd8cca55b32703ee394

Download Submit
\Users\Admin\AppData\Roaming\mrsys.exe
MD5
cfd97063f21b585b7f4abe267298f6d1

SHA1
87aa494f51a7858048818ca784e9cbfd962e45d5

SHA256
d80859dc4ea6a674987a0ff80b113701076f2861a707a4b199f8e7b0c74cb248

SHA512
38ecd619867ca76607c6fd74ff05c53939f0be4e4da542a1d7077ea266971a2a9db50c346d58a5dd462dc37182b809dd45a20e5e38c7adeb969ed0ee71d5fef8

Download Submit
\Windows\system\explorer.exe
MD5
5b1da0d67621b3d0467e0148142745d6

SHA1
d093447c7c584e9f03282f219db74345c0884111

SHA256
2541efd96b72d7d4f3d0ba6d123368e7b8ef92b4a865214a20df936cf48b210f

SHA512
1315190b8e88315bb01c803d330909ecdec05079773ac005e791691b6e038804139d6a25ef9b63b64d487d9b65ed4fedde8153aa87d06e2a695dabd5b38cbe0d

Download Submit
\Windows\system\explorer.exe
MD5
5b1da0d67621b3d0467e0148142745d6

SHA1
d093447c7c584e9f03282f219db74345c0884111

SHA256
2541efd96b72d7d4f3d0ba6d123368e7b8ef92b4a865214a20df936cf48b210f

SHA512
1315190b8e88315bb01c803d330909ecdec05079773ac005e791691b6e038804139d6a25ef9b63b64d487d9b65ed4fedde8153aa87d06e2a695dabd5b38cbe0d

Download Submit
\Windows\system\spoolsv.exe
MD5
e6c9b8acbe46874f785f597259ebe071

SHA1
510bc65b7578ea6082d5baed4fe344d1cabb1c23

SHA256
f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848

SHA512
6ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc

Download Submit
\Windows\system\spoolsv.exe
MD5
e6c9b8acbe46874f785f597259ebe071

SHA1
510bc65b7578ea6082d5baed4fe344d1cabb1c23

SHA256
f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848

SHA512
6ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc

Download Submit
\Windows\system\spoolsv.exe
MD5
e6c9b8acbe46874f785f597259ebe071

SHA1
510bc65b7578ea6082d5baed4fe344d1cabb1c23

SHA256
f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848

SHA512
6ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc

Download Submit
\Windows\system\spoolsv.exe
MD5
e6c9b8acbe46874f785f597259ebe071

SHA1
510bc65b7578ea6082d5baed4fe344d1cabb1c23

SHA256
f225134f8e83e33f1a1bac0014a2c5a3e12ae1deb51357ccbb3cf609a8007848

SHA512
6ead6577ffd7b02399bbbc62284461afb33f4b45de3af5be548ae66a939d0e4a22f8a3dd9aceb2e72b6f849dbbe6ee01e47a1eb971aa53b11a5b8a255b0440cc

Download Submit
\Windows\system\svchost.exe
MD5
8ab0d16deeb98f242159b6378857adb1

SHA1
21b5560500bfc09443115d7c477f13d9f764d77a

SHA256
2e8eeee26e361940e5d2799dc848c20eeb49650bf85e2c42081ba1e2bdc9face

SHA512
f07329a816d40f0171a85d2b1326ad08eeef26819f84ae1192f9cfac0c423f29e9076827823d33cd1f081cf4f12526d33f03dddbc17fc03179fd545e3bb9dc7c

Download Submit
\Windows\system\svchost.exe
MD5
8ab0d16deeb98f242159b6378857adb1

SHA1
21b5560500bfc09443115d7c477f13d9f764d77a

SHA256
2e8eeee26e361940e5d2799dc848c20eeb49650bf85e2c42081ba1e2bdc9face

SHA512
f07329a816d40f0171a85d2b1326ad08eeef26819f84ae1192f9cfac0c423f29e9076827823d33cd1f081cf4f12526d33f03dddbc17fc03179fd545e3bb9dc7c

Download Submit
memory/868-56-0x0000000000000000-mapping.dmp

Download
memory/888-95-0x0000000000000000-mapping.dmp

Download
memory/984-64-0x0000000000000000-mapping.dmp

Download
memory/1044-53-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1092-119-0x0000000000000000-mapping.dmp

Download
memory/1132-131-0x0000000000000000-mapping.dmp

Download
memory/1216-114-0x0000000000000000-mapping.dmp

Download
memory/1224-76-0x0000000000000000-mapping.dmp

Download
memory/1236-123-0x0000000001F91000-0x0000000001F92000-memory.dmp

Filesize
4KB

Download
memory/1236-70-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1236-71-0x000000000040188B-mapping.dmp

Download
memory/1236-125-0x0000000001F97000-0x0000000001F98000-memory.dmp

Filesize
4KB

Download
memory/1236-124-0x0000000001F92000-0x0000000001F94000-memory.dmp

Filesize
8KB

Download
memory/1236-126-0x0000000001F98000-0x0000000001F99000-memory.dmp

Filesize
4KB

Download
memory/1236-103-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1236-92-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1324-85-0x0000000000000000-mapping.dmp

Download
memory/1584-105-0x0000000000000000-mapping.dmp

Download
memory/1732-129-0x0000000000000000-mapping.dmp

Download