neshta | a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8

Analysis

max time kernel
148s
max time network
118s
platform
windows10_x64
resource
win10-en-20210920
submitted
08-10-2021 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d22685ef9d80598a24d2f096e527da9.exe
Size

506KB
MD5

7d22685ef9d80598a24d2f096e527da9
SHA1

458b1d290faa64ebbe4c5989229bacc060bd8713
SHA256

a3d59149a2b1ddb119228ca898c8f6ea1a9256b9567f00bfb1529283960b34d8
SHA512

ca691bfae066e4dc2298e803f23055e999c405b170165f3c4658b232ce0a820e356347cfe164dc046a763842a2d42d4d3a241792d88f3754b5b3ddf484f976f3

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1320-128-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1320-129-0x00000000004080E4-mapping.dmp	family_neshta
behavioral2/memory/1320-131-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/2376-149-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/3500-170-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/2884-185-0x00000000054B0000-0x00000000059AE000-memory.dmp	family_neshta
behavioral2/memory/3636-189-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7d22685ef9d80598a24d2f096e527da9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7d22685ef9d80598a24d2f096e527da9.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 14 IoCs

Processes:

7d22685ef9d80598a24d2f096e527da9.exe7d22685ef9d80598a24d2f096e527da9.exesvchost.com7D2268~1.EXE7D2268~1.EXEsvchost.com7D2268~1.EXE7D2268~1.EXE7D2268~1.EXEsvchost.com7D2268~1.EXE7D2268~1.EXEsvchost.com7D2268~1.EXE

pid	process
3772	7d22685ef9d80598a24d2f096e527da9.exe
1320	7d22685ef9d80598a24d2f096e527da9.exe
1152	svchost.com
1828	7D2268~1.EXE
2376	7D2268~1.EXE
1584	svchost.com
3152	7D2268~1.EXE
3272	7D2268~1.EXE
3500	7D2268~1.EXE
800	svchost.com
2884	7D2268~1.EXE
3636	7D2268~1.EXE
3220	svchost.com
2512	7D2268~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 4 IoCs

Processes:

7d22685ef9d80598a24d2f096e527da9.exe7D2268~1.EXE7D2268~1.EXE7D2268~1.EXE

description	pid	process	target process
PID 3772 set thread context of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 1828 set thread context of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 3152 set thread context of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 2884 set thread context of 3636	2884	7D2268~1.EXE	7D2268~1.EXE

Drops file in Program Files directory 53 IoCs

Processes:

7d22685ef9d80598a24d2f096e527da9.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	7d22685ef9d80598a24d2f096e527da9.exe

Drops file in Windows directory 16 IoCs

Processes:

7D2268~1.EXEsvchost.com7d22685ef9d80598a24d2f096e527da9.exe7D2268~1.EXEsvchost.com7D2268~1.EXEsvchost.comsvchost.com7d22685ef9d80598a24d2f096e527da9.exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	7D2268~1.EXE
File opened for modification	C:\Windows\svchost.com	7D2268~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\Windows\svchost.com	7D2268~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7D2268~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	7D2268~1.EXE
File opened for modification	C:\Windows\directx.sys	7D2268~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	7d22685ef9d80598a24d2f096e527da9.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

7D2268~1.EXE7D2268~1.EXE7D2268~1.EXE7d22685ef9d80598a24d2f096e527da9.exe7d22685ef9d80598a24d2f096e527da9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	7D2268~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	7D2268~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	7D2268~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7d22685ef9d80598a24d2f096e527da9.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	7d22685ef9d80598a24d2f096e527da9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7D2268~1.EXE

pid process

3152 7D2268~1.EXE
3152 7D2268~1.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7D2268~1.EXE

description pid process

Token: SeDebugPrivilege 3152 7D2268~1.EXE

pid	process
3152	7D2268~1.EXE
3152	7D2268~1.EXE

description	pid	process
Token: SeDebugPrivilege	3152	7D2268~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7d22685ef9d80598a24d2f096e527da9.exe7d22685ef9d80598a24d2f096e527da9.exe7d22685ef9d80598a24d2f096e527da9.exesvchost.com7D2268~1.EXE7D2268~1.EXEsvchost.com7D2268~1.EXE7D2268~1.EXEsvchost.com7D2268~1.EXE

description	pid	process	target process
PID 1776 wrote to memory of 3772	1776	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 1776 wrote to memory of 3772	1776	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 1776 wrote to memory of 3772	1776	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 3772 wrote to memory of 1320	3772	7d22685ef9d80598a24d2f096e527da9.exe	7d22685ef9d80598a24d2f096e527da9.exe
PID 1320 wrote to memory of 1152	1320	7d22685ef9d80598a24d2f096e527da9.exe	svchost.com
PID 1320 wrote to memory of 1152	1320	7d22685ef9d80598a24d2f096e527da9.exe	svchost.com
PID 1320 wrote to memory of 1152	1320	7d22685ef9d80598a24d2f096e527da9.exe	svchost.com
PID 1152 wrote to memory of 1828	1152	svchost.com	7D2268~1.EXE
PID 1152 wrote to memory of 1828	1152	svchost.com	7D2268~1.EXE
PID 1152 wrote to memory of 1828	1152	svchost.com	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 1828 wrote to memory of 2376	1828	7D2268~1.EXE	7D2268~1.EXE
PID 2376 wrote to memory of 1584	2376	7D2268~1.EXE	svchost.com
PID 2376 wrote to memory of 1584	2376	7D2268~1.EXE	svchost.com
PID 2376 wrote to memory of 1584	2376	7D2268~1.EXE	svchost.com
PID 1584 wrote to memory of 3152	1584	svchost.com	7D2268~1.EXE
PID 1584 wrote to memory of 3152	1584	svchost.com	7D2268~1.EXE
PID 1584 wrote to memory of 3152	1584	svchost.com	7D2268~1.EXE
PID 3152 wrote to memory of 3272	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3272	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3272	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3152 wrote to memory of 3500	3152	7D2268~1.EXE	7D2268~1.EXE
PID 3500 wrote to memory of 800	3500	7D2268~1.EXE	svchost.com
PID 3500 wrote to memory of 800	3500	7D2268~1.EXE	svchost.com
PID 3500 wrote to memory of 800	3500	7D2268~1.EXE	svchost.com
PID 800 wrote to memory of 2884	800	svchost.com	7D2268~1.EXE
PID 800 wrote to memory of 2884	800	svchost.com	7D2268~1.EXE
PID 800 wrote to memory of 2884	800	svchost.com	7D2268~1.EXE
PID 2884 wrote to memory of 3636	2884	7D2268~1.EXE	7D2268~1.EXE
PID 2884 wrote to memory of 3636	2884	7D2268~1.EXE	7D2268~1.EXE
PID 2884 wrote to memory of 3636	2884	7D2268~1.EXE	7D2268~1.EXE
PID 2884 wrote to memory of 3636	2884	7D2268~1.EXE	7D2268~1.EXE
PID 2884 wrote to memory of 3636	2884	7D2268~1.EXE	7D2268~1.EXE
PID 2884 wrote to memory of 3636	2884	7D2268~1.EXE	7D2268~1.EXE
PID 2884 wrote to memory of 3636	2884	7D2268~1.EXE	7D2268~1.EXE

C:\Users\Admin\AppData\Local\Temp\7d22685ef9d80598a24d2f096e527da9.exe
"C:\Users\Admin\AppData\Local\Temp\7d22685ef9d80598a24d2f096e527da9.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\3582-490\7d22685ef9d80598a24d2f096e527da9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\7d22685ef9d80598a24d2f096e527da9.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\3582-490\7d22685ef9d80598a24d2f096e527da9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\7d22685ef9d80598a24d2f096e527da9.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE"
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE"
9⤵
- Executes dropped EXE
PID:3272

C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE"
9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE"
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE"
12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3636

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE"
13⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3220

C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
14⤵
- Executes dropped EXE
PID:2512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7D2268~1.EXE.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7D2268~1.EXE
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7d22685ef9d80598a24d2f096e527da9.exe
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7d22685ef9d80598a24d2f096e527da9.exe
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7d22685ef9d80598a24d2f096e527da9.exe
MD5
fd31986696a39355b9e100754b4724e3

SHA1
4f1045ce5437b5a761c02a1446c0defd89280ddb

SHA256
a58aca3d20dec5c5f100ade6a9f6182f5f7a783f8269cb032e20780041e44f08

SHA512
bbb78d8f77973f2349a0a82e3e9ab046b79cdd37053375c5d21b7297c36b587e0809bced70f38d4d621af28f04fdca5701c294e04d4cf04f09582ada580a7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
f16f8fba5305f16c81bcf1c89c3f44c7

SHA1
f7940d7e2bec750c38fdcea2d1aa9c987630a37f

SHA256
b559d2d910d9611fe82f042159c8f09046bde4826c8dc882d1e7cb0a1806adc3

SHA512
03709fefe28f72a70a21c276d79f65bc89fc72217ad804ccbf30ab36bf338b71c7d61e0d09d2afd6750e05f84c8703b20d6d893949a08c57fbc32756d7db66a3

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
c48c47056b0d8708930aa916a83b839d

SHA1
cdb57d05c185962666ca567febba92aa36b9b70f

SHA256
0bb024a7157e190ec23dffa0ddb79d024c8791a10765d8c196f2770476c6aa92

SHA512
b9cb0499ea19b8f18bc35c856db2a518eeb88aab9d958fda6e72aaae1df4fce84d2438a59da7369b0805d12e96e0ca3b29106ef7ecbab1afe557c33d697624a5

Download Submit
C:\Windows\directx.sys
MD5
c48c47056b0d8708930aa916a83b839d

SHA1
cdb57d05c185962666ca567febba92aa36b9b70f

SHA256
0bb024a7157e190ec23dffa0ddb79d024c8791a10765d8c196f2770476c6aa92

SHA512
b9cb0499ea19b8f18bc35c856db2a518eeb88aab9d958fda6e72aaae1df4fce84d2438a59da7369b0805d12e96e0ca3b29106ef7ecbab1afe557c33d697624a5

Download Submit
C:\Windows\directx.sys
MD5
c48c47056b0d8708930aa916a83b839d

SHA1
cdb57d05c185962666ca567febba92aa36b9b70f

SHA256
0bb024a7157e190ec23dffa0ddb79d024c8791a10765d8c196f2770476c6aa92

SHA512
b9cb0499ea19b8f18bc35c856db2a518eeb88aab9d958fda6e72aaae1df4fce84d2438a59da7369b0805d12e96e0ca3b29106ef7ecbab1afe557c33d697624a5

Download Submit
C:\Windows\directx.sys
MD5
c48c47056b0d8708930aa916a83b839d

SHA1
cdb57d05c185962666ca567febba92aa36b9b70f

SHA256
0bb024a7157e190ec23dffa0ddb79d024c8791a10765d8c196f2770476c6aa92

SHA512
b9cb0499ea19b8f18bc35c856db2a518eeb88aab9d958fda6e72aaae1df4fce84d2438a59da7369b0805d12e96e0ca3b29106ef7ecbab1afe557c33d697624a5

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/800-172-0x0000000000000000-mapping.dmp

Download
memory/1152-132-0x0000000000000000-mapping.dmp

Download
memory/1320-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1320-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1320-129-0x00000000004080E4-mapping.dmp

Download
memory/1584-151-0x0000000000000000-mapping.dmp

Download
memory/1828-145-0x0000000004A30000-0x0000000004F2E000-memory.dmp

Filesize
5.0MB

Download
memory/1828-136-0x0000000000000000-mapping.dmp

Download
memory/2376-149-0x00000000004080E4-mapping.dmp

Download
memory/2512-204-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/2512-195-0x0000000000000000-mapping.dmp

Download
memory/2884-185-0x00000000054B0000-0x00000000059AE000-memory.dmp

Filesize
5.0MB

Download
memory/2884-176-0x0000000000000000-mapping.dmp

Download
memory/3152-155-0x0000000000000000-mapping.dmp

Download
memory/3152-165-0x0000000005550000-0x0000000005A4E000-memory.dmp

Filesize
5.0MB

Download
memory/3220-191-0x0000000000000000-mapping.dmp

Download
memory/3500-170-0x00000000004080E4-mapping.dmp

Download
memory/3636-189-0x00000000004080E4-mapping.dmp

Download
memory/3772-122-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/3772-123-0x0000000008DD0000-0x0000000008DD1000-memory.dmp

Filesize
4KB

Download
memory/3772-125-0x00000000059B0000-0x00000000059B6000-memory.dmp

Filesize
24KB

Download
memory/3772-127-0x00000000092D0000-0x0000000009307000-memory.dmp

Filesize
220KB

Download
memory/3772-121-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/3772-120-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/3772-126-0x0000000009260000-0x00000000092C7000-memory.dmp

Filesize
412KB

Download
memory/3772-124-0x00000000057A0000-0x0000000005C9E000-memory.dmp

Filesize
5.0MB

Download
memory/3772-118-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/3772-115-0x0000000000000000-mapping.dmp

Download