neshta | e0eb4d976cc6ba910c0dda90ea2da992e777c0dd46c7fb3e9256dc6a67b44731

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-12-2021 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp/cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
Size

4.3MB
MD5

313c82449546d79cfdc7c42295bd80d7
SHA1

d4a1753a524f6cfcef08cfd429ef4291e54df7a8
SHA256

e0eb4d976cc6ba910c0dda90ea2da992e777c0dd46c7fb3e9256dc6a67b44731
SHA512

6896427b300a03c113038a9c1993ce06b7165e130eb33421f4227162b4dbe59769d473daa1cbc4f6219c859510bf2bcb4a934013d4942859ff3b9bf70297b7b7

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 16 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	family_neshta
\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	family_neshta
\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	family_neshta
\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 8 IoCs

Processes:

svchost.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.comCB44D0~1.EXE

pid	process
1540	svchost.exe
520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
872	svchost.exe
1384	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
1424	svchost.exe
1080	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
796	svchost.com
1508	CB44D0~1.EXE

Loads dropped DLL 13 IoCs

Processes:

svchost.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.com

pid	process
1540	svchost.exe
1540	svchost.exe
520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
1424	svchost.exe
1424	svchost.exe
1080	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
1080	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
796	svchost.com
1080	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe

Drops file in Windows directory 6 IoCs

Processes:

cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.com

description	ioc	process
File created	C:\Windows\svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\Windows\svchost.com	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File created	C:\Windows\svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\Windows\svchost.com	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.execb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exesvchost.com

description	pid	process	target process
PID 1908 wrote to memory of 1540	1908	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.exe
PID 1908 wrote to memory of 1540	1908	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.exe
PID 1908 wrote to memory of 1540	1908	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.exe
PID 1908 wrote to memory of 1540	1908	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.exe
PID 1540 wrote to memory of 520	1540	svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 1540 wrote to memory of 520	1540	svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 1540 wrote to memory of 520	1540	svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 1540 wrote to memory of 520	1540	svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 520 wrote to memory of 1384	520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 520 wrote to memory of 1384	520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 520 wrote to memory of 1384	520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 520 wrote to memory of 1384	520	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 1384 wrote to memory of 1424	1384	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.exe
PID 1384 wrote to memory of 1424	1384	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.exe
PID 1384 wrote to memory of 1424	1384	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.exe
PID 1384 wrote to memory of 1424	1384	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.exe
PID 1424 wrote to memory of 1080	1424	svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 1424 wrote to memory of 1080	1424	svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 1424 wrote to memory of 1080	1424	svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 1424 wrote to memory of 1080	1424	svchost.exe	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
PID 1080 wrote to memory of 796	1080	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.com
PID 1080 wrote to memory of 796	1080	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.com
PID 1080 wrote to memory of 796	1080	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.com
PID 1080 wrote to memory of 796	1080	cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe	svchost.com
PID 796 wrote to memory of 1508	796	svchost.com	CB44D0~1.EXE
PID 796 wrote to memory of 1508	796	svchost.com	CB44D0~1.EXE
PID 796 wrote to memory of 1508	796	svchost.com	CB44D0~1.EXE
PID 796 wrote to memory of 1508	796	svchost.com	CB44D0~1.EXE

C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe"
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\3582-490\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
"C:\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\CB44D0~1.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\3582-490\CB44D0~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\CB44D0~1.EXE
8⤵
- Executes dropped EXE
PID:1508

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:872

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE
MD5
44623cc33b1bd689381de8fe6bcd90d1

SHA1
187d4f8795c6f87dd402802723e4611bf1d8089e

SHA256
380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba

SHA512
19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
a49eb5f2ad98fffade88c1d337854f89

SHA1
2cc197bcf3625751f7e714ac1caf8e554d0be3b1

SHA256
99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449

SHA512
4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\CB44D0~1.EXE
MD5
5fce711e94c6ba33b122b700e75eed7d

SHA1
c4599ac933af3c0678e2963d4e1edae7b4f7dda6

SHA256
8d9f6ef19576322118223d628c6a868714d20fbe639295a8217bb4646e51f389

SHA512
e4dd1bbf1359f9c4e39abd208b753494f050682b5986713d25fe5ff0631994586073af2a29d8e60c610736eeae85ea139f3e4ec2298ff88c6359488ee6c4c49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\CB44D0~1.EXE
MD5
5fce711e94c6ba33b122b700e75eed7d

SHA1
c4599ac933af3c0678e2963d4e1edae7b4f7dda6

SHA256
8d9f6ef19576322118223d628c6a868714d20fbe639295a8217bb4646e51f389

SHA512
e4dd1bbf1359f9c4e39abd208b753494f050682b5986713d25fe5ff0631994586073af2a29d8e60c610736eeae85ea139f3e4ec2298ff88c6359488ee6c4c49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
efea8267fb19e387b504863937aa56a1

SHA1
ccbd0a908b968fa25e4abc2ffba29277c5bad297

SHA256
7209cd9af5021f0d43146c1e4fb2cd63f726aa6b7096fff2a46d6dfdc841ac5a

SHA512
b056554abf56d9324bbbb70c15128ddbd39c0ac6b1458bf180a1273c7c195aee9b75b7757265acf21cbf27363c6f4aefef941bfbc81f1a484406f254a71f3ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
efea8267fb19e387b504863937aa56a1

SHA1
ccbd0a908b968fa25e4abc2ffba29277c5bad297

SHA256
7209cd9af5021f0d43146c1e4fb2cd63f726aa6b7096fff2a46d6dfdc841ac5a

SHA512
b056554abf56d9324bbbb70c15128ddbd39c0ac6b1458bf180a1273c7c195aee9b75b7757265acf21cbf27363c6f4aefef941bfbc81f1a484406f254a71f3ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
2d98480b76c421b7ac5457e1cc6be199

SHA1
43912faafdbda67718e2bdf36018b3d5b067a32f

SHA256
e810dfaeb0a20ebae8113fae2201d040e3a7b8e7299935abaaa5abd517d0dc8a

SHA512
97b722f3a9a560419ff9a250bdaa8b8509aa0ec490aa239f70cc9d22963df1c37adcf74459ee2f245582367b3be8ba69d7e70e461d76ffce93b4b1991e1fb3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
2d98480b76c421b7ac5457e1cc6be199

SHA1
43912faafdbda67718e2bdf36018b3d5b067a32f

SHA256
e810dfaeb0a20ebae8113fae2201d040e3a7b8e7299935abaaa5abd517d0dc8a

SHA512
97b722f3a9a560419ff9a250bdaa8b8509aa0ec490aa239f70cc9d22963df1c37adcf74459ee2f245582367b3be8ba69d7e70e461d76ffce93b4b1991e1fb3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
c2cb21529fd519fed887f656d9beee86

SHA1
6644ae557c84f1172646ea250db52880d5b2e2ba

SHA256
0ee313e85741020e220a427e3e37e9a0f74ce0c39162877231dacca2667a467c

SHA512
ca10854a3971cc3556eb8715b647e312977ec243bb52a1b4e126413a980fc66c86d89ec62ba7245fd4df051c025c7b91b052ec4f64b1865ceb5fa8e5fc16ea98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
37020724fee6c0e60bb8a49eb6cc2647

SHA1
c606133d8fc2c1552c08463002984b1f6059919c

SHA256
e9e676fbfee9713102ec5aa61e64fe3a502bde9a10136202768724e25454e10c

SHA512
dbb2db3b01d22de81de7fda63b13195bd1a099d635098fbb025e05bd7349e72b77d3dbce5ce9ab23b1b0896827d3232957cf1e7e390f9aef3845dd28f6795d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
37020724fee6c0e60bb8a49eb6cc2647

SHA1
c606133d8fc2c1552c08463002984b1f6059919c

SHA256
e9e676fbfee9713102ec5aa61e64fe3a502bde9a10136202768724e25454e10c

SHA512
dbb2db3b01d22de81de7fda63b13195bd1a099d635098fbb025e05bd7349e72b77d3dbce5ce9ab23b1b0896827d3232957cf1e7e390f9aef3845dd28f6795d4f

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.com
MD5
92cc877488f113ea63c5fd9486bdd224

SHA1
6b002c9517666f67abbb9c8f328741f8e0769a40

SHA256
6bb802e5cfda6e8411961a7175935814f50ae9bd80c344d442226036c8363b91

SHA512
84e8b2d2c993fc970a1ddcbe18bbf1f9e0a846267e48e73756ad2d8b3f58f427b038c15ef778158401209bc658cc806709f7985746ad5e8901c7a20f80279f01

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\ose.exe
MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\ose.exe
MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\setup.exe
MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\setup.exe
MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\CB44D0~1.EXE
MD5
5fce711e94c6ba33b122b700e75eed7d

SHA1
c4599ac933af3c0678e2963d4e1edae7b4f7dda6

SHA256
8d9f6ef19576322118223d628c6a868714d20fbe639295a8217bb4646e51f389

SHA512
e4dd1bbf1359f9c4e39abd208b753494f050682b5986713d25fe5ff0631994586073af2a29d8e60c610736eeae85ea139f3e4ec2298ff88c6359488ee6c4c49f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
efea8267fb19e387b504863937aa56a1

SHA1
ccbd0a908b968fa25e4abc2ffba29277c5bad297

SHA256
7209cd9af5021f0d43146c1e4fb2cd63f726aa6b7096fff2a46d6dfdc841ac5a

SHA512
b056554abf56d9324bbbb70c15128ddbd39c0ac6b1458bf180a1273c7c195aee9b75b7757265acf21cbf27363c6f4aefef941bfbc81f1a484406f254a71f3ec2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
efea8267fb19e387b504863937aa56a1

SHA1
ccbd0a908b968fa25e4abc2ffba29277c5bad297

SHA256
7209cd9af5021f0d43146c1e4fb2cd63f726aa6b7096fff2a46d6dfdc841ac5a

SHA512
b056554abf56d9324bbbb70c15128ddbd39c0ac6b1458bf180a1273c7c195aee9b75b7757265acf21cbf27363c6f4aefef941bfbc81f1a484406f254a71f3ec2

Download Submit
\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
2d98480b76c421b7ac5457e1cc6be199

SHA1
43912faafdbda67718e2bdf36018b3d5b067a32f

SHA256
e810dfaeb0a20ebae8113fae2201d040e3a7b8e7299935abaaa5abd517d0dc8a

SHA512
97b722f3a9a560419ff9a250bdaa8b8509aa0ec490aa239f70cc9d22963df1c37adcf74459ee2f245582367b3be8ba69d7e70e461d76ffce93b4b1991e1fb3ed

Download Submit
\Users\Admin\AppData\Local\Temp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
2d98480b76c421b7ac5457e1cc6be199

SHA1
43912faafdbda67718e2bdf36018b3d5b067a32f

SHA256
e810dfaeb0a20ebae8113fae2201d040e3a7b8e7299935abaaa5abd517d0dc8a

SHA512
97b722f3a9a560419ff9a250bdaa8b8509aa0ec490aa239f70cc9d22963df1c37adcf74459ee2f245582367b3be8ba69d7e70e461d76ffce93b4b1991e1fb3ed

Download Submit
\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
37020724fee6c0e60bb8a49eb6cc2647

SHA1
c606133d8fc2c1552c08463002984b1f6059919c

SHA256
e9e676fbfee9713102ec5aa61e64fe3a502bde9a10136202768724e25454e10c

SHA512
dbb2db3b01d22de81de7fda63b13195bd1a099d635098fbb025e05bd7349e72b77d3dbce5ce9ab23b1b0896827d3232957cf1e7e390f9aef3845dd28f6795d4f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp\cb44d089-9c8a-42a2-9a3c-1095647f7398_1016.exe
MD5
37020724fee6c0e60bb8a49eb6cc2647

SHA1
c606133d8fc2c1552c08463002984b1f6059919c

SHA256
e9e676fbfee9713102ec5aa61e64fe3a502bde9a10136202768724e25454e10c

SHA512
dbb2db3b01d22de81de7fda63b13195bd1a099d635098fbb025e05bd7349e72b77d3dbce5ce9ab23b1b0896827d3232957cf1e7e390f9aef3845dd28f6795d4f

Download Submit
memory/520-62-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download
memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/796-82-0x0000000000000000-mapping.dmp

Download
memory/1080-77-0x0000000000000000-mapping.dmp

Download
memory/1384-67-0x0000000000000000-mapping.dmp

Download
memory/1424-70-0x0000000000000000-mapping.dmp

Download
memory/1508-91-0x0000000000000000-mapping.dmp

Download
memory/1540-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads