neshta | 3584d148b7a74670cb6e633744de9b90f53ba0388ee9af369bb82503446212a7

General

Target

1b04654c14fdc19c54a855598f2aec8f.exe
Size

133KB
MD5

1b04654c14fdc19c54a855598f2aec8f
SHA1

d0e74542ea095620ad2c00c0027654829592aa82
SHA256

3584d148b7a74670cb6e633744de9b90f53ba0388ee9af369bb82503446212a7
SHA512

d4277601ebd28987b8e30d3cb9fe392e54d0615abd412422aaf85ceb2f1bea5ece0b3c90818d1ca9db0d30cee0a1fe8142c4f023b351b8ea72734eacacd0de83

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1b04654c14fdc19c54a855598f2aec8f.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

pid process

4216 1b04654c14fdc19c54a855598f2aec8f.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4216	1b04654c14fdc19c54a855598f2aec8f.exe

Drops file in Program Files directory 53 IoCs

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	1b04654c14fdc19c54a855598f2aec8f.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	1b04654c14fdc19c54a855598f2aec8f.exe

Drops file in Windows directory 1 IoCs

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

description ioc process

File opened for modification C:\Windows\svchost.com 1b04654c14fdc19c54a855598f2aec8f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4568 4216 WerFault.exe 1b04654c14fdc19c54a855598f2aec8f.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	1b04654c14fdc19c54a855598f2aec8f.exe

pid	pid_target	process	target process
4568	4216	WerFault.exe	1b04654c14fdc19c54a855598f2aec8f.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\1b04654c14fdc19c54a855598f2aec8f.exe = "11001"	1b04654c14fdc19c54a855598f2aec8f.exe

Modifies registry class 1 IoCs

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1b04654c14fdc19c54a855598f2aec8f.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 1900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1b04654c14fdc19c54a855598f2aec8f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000000400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1b04654c14fdc19c54a855598f2aec8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	1b04654c14fdc19c54a855598f2aec8f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e820000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1b04654c14fdc19c54a855598f2aec8f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6320000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	1b04654c14fdc19c54a855598f2aec8f.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe
4568	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1b04654c14fdc19c54a855598f2aec8f.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 4216 1b04654c14fdc19c54a855598f2aec8f.exe
Token: SeDebugPrivilege 4568 WerFault.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

pid process

4216 1b04654c14fdc19c54a855598f2aec8f.exe
4216 1b04654c14fdc19c54a855598f2aec8f.exe

description	pid	process
Token: SeDebugPrivilege	4216	1b04654c14fdc19c54a855598f2aec8f.exe
Token: SeDebugPrivilege	4568	WerFault.exe

pid	process
4216	1b04654c14fdc19c54a855598f2aec8f.exe
4216	1b04654c14fdc19c54a855598f2aec8f.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

1b04654c14fdc19c54a855598f2aec8f.exe

description	pid	process	target process
PID 4276 wrote to memory of 4216	4276	1b04654c14fdc19c54a855598f2aec8f.exe	1b04654c14fdc19c54a855598f2aec8f.exe
PID 4276 wrote to memory of 4216	4276	1b04654c14fdc19c54a855598f2aec8f.exe	1b04654c14fdc19c54a855598f2aec8f.exe

C:\Users\Admin\AppData\Local\Temp\1b04654c14fdc19c54a855598f2aec8f.exe
"C:\Users\Admin\AppData\Local\Temp\1b04654c14fdc19c54a855598f2aec8f.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Local\Temp\3582-490\1b04654c14fdc19c54a855598f2aec8f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\1b04654c14fdc19c54a855598f2aec8f.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4216 -s 2892
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\1b04654c14fdc19c54a855598f2aec8f.exe
MD5
e541afcc248201b0a116b5aebc62fc61

SHA1
3ab266b5fa937e109343f73c202119b2f9cf1892

SHA256
3260108f22616d6ba1eca12e269a664e9fc09c6d5f658de648c78d27289bc59c

SHA512
8d274e35de05ba587e68b1b9f665c5e267453a775e53971d2146c251d615c8d414e77b2dbebe7a45e1a9b75a2c08a3c3be5a9e0c785529fbc82df80672605082

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1b04654c14fdc19c54a855598f2aec8f.exe
MD5
e541afcc248201b0a116b5aebc62fc61

SHA1
3ab266b5fa937e109343f73c202119b2f9cf1892

SHA256
3260108f22616d6ba1eca12e269a664e9fc09c6d5f658de648c78d27289bc59c

SHA512
8d274e35de05ba587e68b1b9f665c5e267453a775e53971d2146c251d615c8d414e77b2dbebe7a45e1a9b75a2c08a3c3be5a9e0c785529fbc82df80672605082

Download Submit
memory/4216-115-0x0000000000000000-mapping.dmp

Download
memory/4216-118-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4216-120-0x000000001B6C0000-0x000000001B6C2000-memory.dmp

Filesize
8KB

Download
memory/4216-121-0x000000001B6C3000-0x000000001B6C4000-memory.dmp

Filesize
4KB

Download
memory/4216-122-0x000000001B6C2000-0x000000001B6C3000-memory.dmp

Filesize
4KB

Download
memory/4216-123-0x000000001B6C4000-0x000000001B6C5000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads