neshta | c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-01-2022 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Size

134KB
MD5

f278d8ac3f13e4cedb12071e36192d84
SHA1

bef5000146d4d25db641c35f3473083d9786b959
SHA256

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06
SHA512

697a87379ebb00917a4563b6ee5892128dcf366cfdb9e29a1a7137dd4d45b259ee09a314e1efac12bb5f03054849eed552fff08d2f28089753c24f0d863f903e

Score

10^/10

neshta persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\yi49308h-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [-] Whats Happen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension yi49308h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C3E333CB0B376C9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DZxJTCquJVeWIKKwNOR4TL7eCiS8yKqClYvpCjWe8ZPxkM8ZpPdZDTdlnsMbBzxH /axb39Axa3Lw+2IszgMcvIo1lR1aXPrlMb0zEqUR7CXKG2bs6YX7XACY0Rrq5mx0 AXvv6kT5XWd6r/NFEsv+UNcU3i1sZYFs2LN7Y8gKQ0+ctXdextKXnlCWhKM41dp3 H3pez3pLsb74QZdEL1T1AvgSpaU1a7ibnFbCWbz1ZIGOACqIJEbLudYJnb4RnzK1 EDKSjQBtrPys+3OxfAElJY8d8FaKskC1ghV3eXHupMz/CN1aItSJDhwJSFbWIc6d KhB1O8X2rA3fO/BZcR62ongUR2cXgYgD2SGiin1svTBPTZC1hGlfG4IdLKe2BEGZ rXxwWOZ/cY6Ynb2a5RaESrciJpWLY0gHfMfg+h5Hdg+AUk+411ZiO2i4P9Xk4jNW 8eNTzxyHJPFkZikKT7iJaZ8UK8K9EI56GCQ0amqVX18HWK0/Y8s1uW50CxE+i2bE GimKmpHsbBHhcxrrvbC2yUunILJXS0TNUZwIGYiI+JZL607WgLc1uCFejwhkJdvW DXvXEyyMEDL4S2hrbWJX0JConiTZH8qc0cvU7iUEOj8HTRFcAPwnsOhfhWetF4Pf /GCUOFekACO+GafR/KgiOFBaKOPHuOlRgtk8D6KXjaUVCC3FuEWu0OnpZFql/CeP geVw9VNmxX4K0beKpPD86usxgYhyJuaa3H2gWQmuvM9S6QDZgUVu1nGihnJRSxJT 1ubYl7IY3dm/JyTIB10YXJcC1aIeaiAqgjXNMoc9Ftm7224dQII1OCNJyxcucjNx ExxUjXyd2mWFRL6q68JrkyLCllHd7sdWZhm8fHZKpdi1rOcCS0qJmQUlfkghcYLV gLLWodNHt2uPjAguF+iksg9B8nTbE2346DbOZD5V0LhDyuzBhGwPf5Mt1mmIyVhs lFJq9dIGojmNI+OAN9zvjZaFDeFpf+GSHMg5k7YD5wl8H2tHrngyN87wHV6fzUdi eP5Q0Ay/J5ScbTfvgQdvUlu27p/LB4Oirb9MhzO1SpETkbjOEx3iAT+DQJwI5U9o UOvyzUDPJOZXu4K9oJeLniSkNeuDT4CQYiugVrzPvjhcBqk5iVod3BhPKf8eHBeS uCfABv2/ST3rNO4wwFmw+MQI7hqjmDkZI3ur5ims88Mp4H7dvmE3dv4hZeU4YuXO Wsjy8yrgZTZuw89sBL3A+k8EAOsLYwu/R4gS14IA7ta3UVVey+eabr9gKGX7cg3k x5BVm8Z7y6uLVis7E5HyQcMn ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2C3E333CB0B376C9

Signatures

Detect Neshta Payload 8 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	family_neshta
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE	family_neshta
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	family_neshta
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe	family_neshta
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe	family_neshta
C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

pid process

468 c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

pid	process
468	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Loads dropped DLL 3 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

pid	process
944	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
944	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
944	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 4 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
File opened for modification	\??\c:\program files\desktop.ini	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\users\public\desktop.ini	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
File opened (read-only)	\??\X:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\A:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\G:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\L:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\R:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\U:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\B:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\F:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\H:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\O:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\S:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\Y:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\I:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\J:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\K:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\N:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\Q:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\W:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\Z:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\E:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\M:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\P:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\T:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\V:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Drops file in Program Files directory 64 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exec3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
File opened for modification	\??\c:\program files\ConvertToMerge.ram	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\EnterInvoke.m1v	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\JoinRemove.hta	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\PublishDisable.lock	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\PushUse.jfif	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceoledb35.dll	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceme35.dll	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\AssertUpdate.fon	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\desktop.ini	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\RepairEdit.xlsb	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\StopCheckpoint.pcx	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\WaitLimit.mpeg2	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File created	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\yi49308h-readme.txt	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcecompact35.dll	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\TestUse.svgz	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlcese35.dll	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\StepProtect.ps1	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files\EnterRedo.M2V	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\sqlceca35.dll	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Drops file in Windows directory 1 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description ioc process

File opened for modification C:\Windows\svchost.com c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Modifies registry class 1 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

pid process

468 c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

pid	process
468	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exevssvc.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	468	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Token: SeTakeOwnershipPrivilege	468	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Token: SeBackupPrivilege	1928	vssvc.exe
Token: SeRestorePrivilege	1928	vssvc.exe
Token: SeAuditPrivilege	1928	vssvc.exe
Token: SeBackupPrivilege	948	vssvc.exe
Token: SeRestorePrivilege	948	vssvc.exe
Token: SeAuditPrivilege	948	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	pid	process	target process
PID 944 wrote to memory of 468	944	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
PID 944 wrote to memory of 468	944	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
PID 944 wrote to memory of 468	944	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
PID 944 wrote to memory of 468	944	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

C:\Users\Admin\AppData\Local\Temp\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
"C:\Users\Admin\AppData\Local\Temp\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\desktop.ini
MD5
bb562b77cb8a87e98ccee5412f017755

SHA1
e25617068651ce2c18cc2042325be65d5d9cae79

SHA256
ddb4f34ac1d91dce1be4e718cfd6de63b8d43f84fbe619d78c415683e52ec53d

SHA512
489069190e1c514617d1ac77e4408ebde5fe87fa295dbea4a2142f25644b4ec68c45650de488be3088d3be046d88f9a544c19761645313e0bb3ba5c10f39700b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE
MD5
06ac9f5e8fd5694c759dc59d8a34ee86

SHA1
a29068d521488a0b8e8fc75bc0a2d1778264596b

SHA256
ab6a5bfc12229c116033183db646125573989dfc2fc076e63e248b1b82f6751d

SHA512
597dfd9cb82acc8f3033f2215df7138f04445f5826054528242e99e273f9cc4a7a956c75f280e6145fcdb22824a1f258246e22637de56a66dcae72ac2c1d14fe

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe
MD5
fa982a173f9d3628c2b3ff62bd8a2f87

SHA1
2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

SHA256
bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

SHA512
95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
MD5
eb383ba2622bbc92f579033364dec8b6

SHA1
c0d4db214a829b85c04d8826170c19732b5932f2

SHA256
3441b194259862e3c72c9fbdf126e4a5ae5df6877d8f6c9ba875be5d0ac36f35

SHA512
7a495ebb193bade4b26fa132d65b5c7ffea5e18bb72588aed1c14ae76a648fa73980ae116d9cec698c6e8b8f24592c9a447d2eed07c9fa8bd8ba6aaf68e10528

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
MD5
eb383ba2622bbc92f579033364dec8b6

SHA1
c0d4db214a829b85c04d8826170c19732b5932f2

SHA256
3441b194259862e3c72c9fbdf126e4a5ae5df6877d8f6c9ba875be5d0ac36f35

SHA512
7a495ebb193bade4b26fa132d65b5c7ffea5e18bb72588aed1c14ae76a648fa73980ae116d9cec698c6e8b8f24592c9a447d2eed07c9fa8bd8ba6aaf68e10528

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
MD5
eb383ba2622bbc92f579033364dec8b6

SHA1
c0d4db214a829b85c04d8826170c19732b5932f2

SHA256
3441b194259862e3c72c9fbdf126e4a5ae5df6877d8f6c9ba875be5d0ac36f35

SHA512
7a495ebb193bade4b26fa132d65b5c7ffea5e18bb72588aed1c14ae76a648fa73980ae116d9cec698c6e8b8f24592c9a447d2eed07c9fa8bd8ba6aaf68e10528

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
MD5
eb383ba2622bbc92f579033364dec8b6

SHA1
c0d4db214a829b85c04d8826170c19732b5932f2

SHA256
3441b194259862e3c72c9fbdf126e4a5ae5df6877d8f6c9ba875be5d0ac36f35

SHA512
7a495ebb193bade4b26fa132d65b5c7ffea5e18bb72588aed1c14ae76a648fa73980ae116d9cec698c6e8b8f24592c9a447d2eed07c9fa8bd8ba6aaf68e10528

Download Submit
memory/944-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download