neshta | 0bb5a52f4fe79a8c7fbb4462c472827d0a58e78b985dd102e6f444d41613e19e

Analysis

max time kernel
149s
max time network
60s
platform
windows7_x64
resource
win7v20210408
submitted
14-10-2021 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc196a38075b3009bbb2c7991f07cd3.exe
Size

657KB
MD5

3fc196a38075b3009bbb2c7991f07cd3
SHA1

ad0fe22f3d575530bbd4c03be30c8633639ba02c
SHA256

0bb5a52f4fe79a8c7fbb4462c472827d0a58e78b985dd102e6f444d41613e19e
SHA512

30505c73d8c224b061e32eaaeb5fe35420aab8afc21529946dc69c18177cb99c362ced78067818c8473020dbb4a5f0509719735790d5eb3fe8d4a5f3e6364f3c

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1508-81-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1508-82-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral1/memory/1508-97-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/668-109-0x00000000004080E4-mapping.dmp	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

3fc196a38075b3009bbb2c7991f07cd3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3fc196a38075b3009bbb2c7991f07cd3.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 7 IoCs

Processes:

3fc196a38075b3009bbb2c7991f07cd3.exe3fc196a38075b3009bbb2c7991f07cd3.exesvchost.com3FC196~1.EXE3FC196~1.EXEsvchost.com3FC196~1.EXE

pid	process
1996	3fc196a38075b3009bbb2c7991f07cd3.exe
1508	3fc196a38075b3009bbb2c7991f07cd3.exe
1768	svchost.com
432	3FC196~1.EXE
668	3FC196~1.EXE
1796	svchost.com
1420	3FC196~1.EXE

Loads dropped DLL 10 IoCs

Processes:

3fc196a38075b3009bbb2c7991f07cd3.exe3fc196a38075b3009bbb2c7991f07cd3.exe3fc196a38075b3009bbb2c7991f07cd3.exesvchost.com3FC196~1.EXE3FC196~1.EXEsvchost.com

pid	process
1340	3fc196a38075b3009bbb2c7991f07cd3.exe
1340	3fc196a38075b3009bbb2c7991f07cd3.exe
1340	3fc196a38075b3009bbb2c7991f07cd3.exe
1340	3fc196a38075b3009bbb2c7991f07cd3.exe
1996	3fc196a38075b3009bbb2c7991f07cd3.exe
1508	3fc196a38075b3009bbb2c7991f07cd3.exe
1768	svchost.com
432	3FC196~1.EXE
668	3FC196~1.EXE
1796	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 2 IoCs

Processes:

3fc196a38075b3009bbb2c7991f07cd3.exe3FC196~1.EXE

description	pid	process	target process
PID 1996 set thread context of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 432 set thread context of 668	432	3FC196~1.EXE	3FC196~1.EXE

Drops file in Program Files directory 64 IoCs

Processes:

3fc196a38075b3009bbb2c7991f07cd3.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Google\Temp\GUMFBCB.tmp\GOFB2B~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	3fc196a38075b3009bbb2c7991f07cd3.exe

Drops file in Windows directory 8 IoCs

Processes:

3FC196~1.EXEsvchost.com3fc196a38075b3009bbb2c7991f07cd3.exe3fc196a38075b3009bbb2c7991f07cd3.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	3FC196~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\Windows\svchost.com	3fc196a38075b3009bbb2c7991f07cd3.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	3FC196~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

3fc196a38075b3009bbb2c7991f07cd3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3fc196a38075b3009bbb2c7991f07cd3.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

3fc196a38075b3009bbb2c7991f07cd3.exe3fc196a38075b3009bbb2c7991f07cd3.exe3fc196a38075b3009bbb2c7991f07cd3.exesvchost.com3FC196~1.EXE3FC196~1.EXEsvchost.com

description	pid	process	target process
PID 1340 wrote to memory of 1996	1340	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1340 wrote to memory of 1996	1340	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1340 wrote to memory of 1996	1340	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1340 wrote to memory of 1996	1340	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1996 wrote to memory of 1508	1996	3fc196a38075b3009bbb2c7991f07cd3.exe	3fc196a38075b3009bbb2c7991f07cd3.exe
PID 1508 wrote to memory of 1768	1508	3fc196a38075b3009bbb2c7991f07cd3.exe	svchost.com
PID 1508 wrote to memory of 1768	1508	3fc196a38075b3009bbb2c7991f07cd3.exe	svchost.com
PID 1508 wrote to memory of 1768	1508	3fc196a38075b3009bbb2c7991f07cd3.exe	svchost.com
PID 1508 wrote to memory of 1768	1508	3fc196a38075b3009bbb2c7991f07cd3.exe	svchost.com
PID 1768 wrote to memory of 432	1768	svchost.com	3FC196~1.EXE
PID 1768 wrote to memory of 432	1768	svchost.com	3FC196~1.EXE
PID 1768 wrote to memory of 432	1768	svchost.com	3FC196~1.EXE
PID 1768 wrote to memory of 432	1768	svchost.com	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 432 wrote to memory of 668	432	3FC196~1.EXE	3FC196~1.EXE
PID 668 wrote to memory of 1796	668	3FC196~1.EXE	svchost.com
PID 668 wrote to memory of 1796	668	3FC196~1.EXE	svchost.com
PID 668 wrote to memory of 1796	668	3FC196~1.EXE	svchost.com
PID 668 wrote to memory of 1796	668	3FC196~1.EXE	svchost.com
PID 1796 wrote to memory of 1420	1796	svchost.com	3FC196~1.EXE
PID 1796 wrote to memory of 1420	1796	svchost.com	3FC196~1.EXE
PID 1796 wrote to memory of 1420	1796	svchost.com	3FC196~1.EXE
PID 1796 wrote to memory of 1420	1796	svchost.com	3FC196~1.EXE

C:\Users\Admin\AppData\Local\Temp\3fc196a38075b3009bbb2c7991f07cd3.exe
"C:\Users\Admin\AppData\Local\Temp\3fc196a38075b3009bbb2c7991f07cd3.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3FC196~1.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\3582-490\3FC196~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\3FC196~1.EXE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\3582-490\3FC196~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\3FC196~1.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\3FC196~1.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\3582-490\3FC196~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\3FC196~1.EXE
8⤵
- Executes dropped EXE
PID:1420

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
ddf877b65501014ad61c37aef19cb9c9

SHA1
19e7f6ba745a5a73f7674b0e8c9f35741e523bc0

SHA256
0c671bc28a6282faffd5889562f0f6b3804536657307f9ee1528b3c7824ce897

SHA512
a16a82f4c2fa819de6c830bdec56fd0ad97f274f44c8919bd004c500b38335f81639fde51c01a77d5611a4e5f69c13092dc2cef255659f3152633eb146164de8

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
128818bec0ec858f48cd909fb80ded09

SHA1
77ac80bbf52760da4fa78776401f736a40715e91

SHA256
a26881ea776761a032e0f29988ae9e861c52dacfde41b7069139dc76006cc334

SHA512
63559370006238e073ed584b1868ee63e7a2c4dcbd612413901f42fb55027f1048d3f705afbf91ab8fb2b3215841adb3e9c9db3242529a818fd29f881fc1d2df

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Google\Temp\GUMFBCB.tmp\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\3fc196a38075b3009bbb2c7991f07cd3.exe
MD5
56f80d88075ddabc45b411cbdff5f90a

SHA1
579500f1ccaec744be68aecf9e7fca75f5cd1ae2

SHA256
070437316a851ef4eaa9450e6fa986d5a48abbdaf6eb881ab2b2df65b3b7d80d

SHA512
0c1b54f4bb1d1dd33a59c3a153e3435730748601de1f0702a2087f7abf9689b642864b6fff763dcdab49c3c74d019c214091161f5fc7b2714fd06e21e6b63111

Download Submit
memory/432-94-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/432-98-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/432-92-0x0000000000000000-mapping.dmp

Download
memory/668-109-0x00000000004080E4-mapping.dmp

Download
memory/1340-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1420-121-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1420-124-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1420-119-0x0000000000000000-mapping.dmp

Download
memory/1508-97-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-82-0x00000000004080E4-mapping.dmp

Download
memory/1508-75-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-77-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-81-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1768-87-0x0000000000000000-mapping.dmp

Download
memory/1796-113-0x0000000000000000-mapping.dmp

Download
memory/1996-72-0x0000000005310000-0x0000000005389000-memory.dmp

Filesize
484KB

Download
memory/1996-71-0x00000000005E0000-0x00000000005E5000-memory.dmp

Filesize
20KB

Download
memory/1996-67-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1996-65-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1996-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads