neshta | 20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4

Analysis

max time kernel
132s
max time network
121s
platform
windows10_x64
resource
win10-en-20210920
submitted
11-10-2021 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
Size

1.0MB
MD5

3da25eeec25c2971a573681064c76b29
SHA1

6fd2b9999b08dfa4410ebc92325e64dcfbfdcca6
SHA256

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4
SHA512

050330bcaf1a32a4f6694bb7b1d50f6a9822787c4978f317dc4204382368ea102db1453ae40d1712fcea8bf97f8f45f85f7d0bfa0e8e946ab8435ca05cc8d23c

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/752-127-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/752-128-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/752-136-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1160-143-0x00000000049E0000-0x0000000004EDE000-memory.dmp	family_neshta
behavioral1/memory/2652-147-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/4224-166-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 10 IoCs

Processes:

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exesvchost.com20C2FC~1.EXE20C2FC~1.EXEsvchost.com20C2FC~1.EXE20C2FC~1.EXEsvchost.com20C2FC~1.EXE

pid	process
4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
752	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
876	svchost.com
1160	20C2FC~1.EXE
2652	20C2FC~1.EXE
2772	svchost.com
3612	20C2FC~1.EXE
4224	20C2FC~1.EXE
1088	svchost.com
5064	20C2FC~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe20C2FC~1.EXE20C2FC~1.EXE

description	pid	process	target process
PID 4352 set thread context of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 1160 set thread context of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 set thread context of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE

Drops file in Program Files directory 53 IoCs

Processes:

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe

Drops file in Windows directory 12 IoCs

Processes:

20C2FC~1.EXE20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exesvchost.com20C2FC~1.EXEsvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\directx.sys	20C2FC~1.EXE
File opened for modification	C:\Windows\svchost.com	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\Windows\svchost.com	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	20C2FC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	20C2FC~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	20C2FC~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe20C2FC~1.EXE20C2FC~1.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	20C2FC~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	20C2FC~1.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exesvchost.com20C2FC~1.EXE20C2FC~1.EXEsvchost.com20C2FC~1.EXE20C2FC~1.EXEsvchost.com

description	pid	process	target process
PID 440 wrote to memory of 4352	440	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 440 wrote to memory of 4352	440	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 440 wrote to memory of 4352	440	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 4352 wrote to memory of 752	4352	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
PID 752 wrote to memory of 876	752	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	svchost.com
PID 752 wrote to memory of 876	752	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	svchost.com
PID 752 wrote to memory of 876	752	20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe	svchost.com
PID 876 wrote to memory of 1160	876	svchost.com	20C2FC~1.EXE
PID 876 wrote to memory of 1160	876	svchost.com	20C2FC~1.EXE
PID 876 wrote to memory of 1160	876	svchost.com	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 1160 wrote to memory of 2652	1160	20C2FC~1.EXE	20C2FC~1.EXE
PID 2652 wrote to memory of 2772	2652	20C2FC~1.EXE	svchost.com
PID 2652 wrote to memory of 2772	2652	20C2FC~1.EXE	svchost.com
PID 2652 wrote to memory of 2772	2652	20C2FC~1.EXE	svchost.com
PID 2772 wrote to memory of 3612	2772	svchost.com	20C2FC~1.EXE
PID 2772 wrote to memory of 3612	2772	svchost.com	20C2FC~1.EXE
PID 2772 wrote to memory of 3612	2772	svchost.com	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 3612 wrote to memory of 4224	3612	20C2FC~1.EXE	20C2FC~1.EXE
PID 4224 wrote to memory of 1088	4224	20C2FC~1.EXE	svchost.com
PID 4224 wrote to memory of 1088	4224	20C2FC~1.EXE	svchost.com
PID 4224 wrote to memory of 1088	4224	20C2FC~1.EXE	svchost.com
PID 1088 wrote to memory of 5064	1088	svchost.com	20C2FC~1.EXE
PID 1088 wrote to memory of 5064	1088	svchost.com	20C2FC~1.EXE
PID 1088 wrote to memory of 5064	1088	svchost.com	20C2FC~1.EXE

C:\Users\Admin\AppData\Local\Temp\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
"C:\Users\Admin\AppData\Local\Temp\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:440

C:\Users\Admin\AppData\Local\Temp\3582-490\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Local\Temp\3582-490\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE"
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE"
9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE"
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
11⤵
- Executes dropped EXE
PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20C2FC~1.EXE.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
MD5
13a1c548abf86e0c908fdeca6fb315fe

SHA1
c2988a93906cffd63704990194eb9b3ba556a209

SHA256
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107

SHA512
db1b2013853fcad8c54337af2cb42f1c54a0b73cf438475e58d799a0623808686ca5100f275de8d90d3169747e0ed3ee132bca720c0e04eea565c33fde58a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
MD5
13a1c548abf86e0c908fdeca6fb315fe

SHA1
c2988a93906cffd63704990194eb9b3ba556a209

SHA256
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107

SHA512
db1b2013853fcad8c54337af2cb42f1c54a0b73cf438475e58d799a0623808686ca5100f275de8d90d3169747e0ed3ee132bca720c0e04eea565c33fde58a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
MD5
13a1c548abf86e0c908fdeca6fb315fe

SHA1
c2988a93906cffd63704990194eb9b3ba556a209

SHA256
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107

SHA512
db1b2013853fcad8c54337af2cb42f1c54a0b73cf438475e58d799a0623808686ca5100f275de8d90d3169747e0ed3ee132bca720c0e04eea565c33fde58a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
MD5
13a1c548abf86e0c908fdeca6fb315fe

SHA1
c2988a93906cffd63704990194eb9b3ba556a209

SHA256
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107

SHA512
db1b2013853fcad8c54337af2cb42f1c54a0b73cf438475e58d799a0623808686ca5100f275de8d90d3169747e0ed3ee132bca720c0e04eea565c33fde58a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20C2FC~1.EXE
MD5
13a1c548abf86e0c908fdeca6fb315fe

SHA1
c2988a93906cffd63704990194eb9b3ba556a209

SHA256
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107

SHA512
db1b2013853fcad8c54337af2cb42f1c54a0b73cf438475e58d799a0623808686ca5100f275de8d90d3169747e0ed3ee132bca720c0e04eea565c33fde58a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
MD5
13a1c548abf86e0c908fdeca6fb315fe

SHA1
c2988a93906cffd63704990194eb9b3ba556a209

SHA256
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107

SHA512
db1b2013853fcad8c54337af2cb42f1c54a0b73cf438475e58d799a0623808686ca5100f275de8d90d3169747e0ed3ee132bca720c0e04eea565c33fde58a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
MD5
13a1c548abf86e0c908fdeca6fb315fe

SHA1
c2988a93906cffd63704990194eb9b3ba556a209

SHA256
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107

SHA512
db1b2013853fcad8c54337af2cb42f1c54a0b73cf438475e58d799a0623808686ca5100f275de8d90d3169747e0ed3ee132bca720c0e04eea565c33fde58a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20c2fcc0fe77cbf1f80e1d95e80bcaafded7a6605dc525175d9d6a7e2243aca4.exe
MD5
13a1c548abf86e0c908fdeca6fb315fe

SHA1
c2988a93906cffd63704990194eb9b3ba556a209

SHA256
42b3efec41088a0afd2cc17e038169dd572baa116aa734a427012d39917f4107

SHA512
db1b2013853fcad8c54337af2cb42f1c54a0b73cf438475e58d799a0623808686ca5100f275de8d90d3169747e0ed3ee132bca720c0e04eea565c33fde58a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
e612335e8e8278dd793c1cc301b30f1b

SHA1
648513da3b9f07b097c59a3afd76f5c7b7f060eb

SHA256
d210f9c419dc9771d83d61e717a61e8c0328c55005312303e8d80404a9b8c017

SHA512
4d1f8c78512c0c3651ef1f4e1e3cf83aabab56c0ae96cc01d4a6b3b7d6ba42e75ae7716cb49e071f07827a6c30f6af7762a01b3d0c1e21bce926ba63ccbad765

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
1f33345a6af587ed87737444e6142f61

SHA1
095566e5d4aae1ca9f39c686daf26c68f935dc0f

SHA256
628a99d77d1be6e9a4c056c5ad15f3f20129c0cf6e91475a5f448e2de9075f8f

SHA512
1252bd8b79e283ed39d08ddf79ca0206381436568ee6791325526684564db3aef4d2b2380cfdd2576120623bf7a6b4535d7aae78419ef4402f80a714f5dbbe00

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/752-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/752-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/752-128-0x00000000004080E4-mapping.dmp

Download
memory/876-130-0x0000000000000000-mapping.dmp

Download
memory/1088-168-0x0000000000000000-mapping.dmp

Download
memory/1160-143-0x00000000049E0000-0x0000000004EDE000-memory.dmp

Filesize
5.0MB

Download
memory/1160-134-0x0000000000000000-mapping.dmp

Download
memory/2652-147-0x00000000004080E4-mapping.dmp

Download
memory/2772-149-0x0000000000000000-mapping.dmp

Download
memory/3612-162-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/3612-153-0x0000000000000000-mapping.dmp

Download
memory/4224-166-0x00000000004080E4-mapping.dmp

Download
memory/4352-123-0x00000000049B0000-0x0000000004EAE000-memory.dmp

Filesize
5.0MB

Download
memory/4352-124-0x0000000004C40000-0x0000000004C51000-memory.dmp

Filesize
68KB

Download
memory/4352-125-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/4352-126-0x0000000006ED0000-0x0000000006F26000-memory.dmp

Filesize
344KB

Download
memory/4352-115-0x0000000000000000-mapping.dmp

Download
memory/4352-122-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/4352-121-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4352-120-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/4352-118-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5064-172-0x0000000000000000-mapping.dmp

Download
memory/5064-179-0x0000000005520000-0x0000000005A1E000-memory.dmp

Filesize
5.0MB

Download