neshta | c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06

Analysis

max time kernel
133s
max time network
164s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Size

134KB
MD5

f278d8ac3f13e4cedb12071e36192d84
SHA1

bef5000146d4d25db641c35f3473083d9786b959
SHA256

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06
SHA512

697a87379ebb00917a4563b6ee5892128dcf366cfdb9e29a1a7137dd4d45b259ee09a314e1efac12bb5f03054849eed552fff08d2f28089753c24f0d863f903e

Score

10^/10

neshta persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\di78h-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [-] Whats Happen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension di78h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7D0BA0898ECFE2E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kZ22oRnDTp8RwpkQYKwFtBOHXNzqWapjTsHkg4naCvnQL2sdvHhNXyik7iYtb+ue WxO589LdlZmrm5VWt7JkmfLg1ocX4HQ4ZzyHdeYucCwcO0zAHfUhQRAeCWhPUNYt /1S7z0numb2IVX9dSIkemmfe7rGLYYVXzysJpzvJLSmuIVoU+O1jU/2QJoYiixFb 1nLokST3VYOFE8OP59neJavwRg5FLtM8A9EHKxWFkVj2v8SAYhu0js+BEmZYsU++ ZC0k5Ovi9WIifBjEqQ8d8vfQiUEtNewBFpSN7a+8p1Uix6aBdKqLkd+YH+Izd88F JeBvmT81M4DieqSzYVUEYpcylhKqKI33ZgEAwN8z2nTq/0qPOAU53TLArTW/NcwY RlvervZ9Bdu/87E952NspoopbiZXfQdZ3e/RqcxR5JQdHzyt12uoKve42Rz7Ohhd xsEwJIXA7iGdEoz3ooYGVSCELCF98yb41ntULyLPj/9LufjqKYV+XNcUqvH3It3f 6UXfpOUek0Tbu3mcla32rjlFs4z9EN1maRRRokF7J3ZHSBWFoscTH4RSxvFFlB7J Fm71sLFaG2ZO9lPT4w7QYNv994g6BlrdpB8DHqUPRfPRxQshccydwysjE1yTYldZ z/aqt46RCuknjKQf9YcW8DKJAHZ7g/ZQHnr17K8JeZ9m8RV2I8Mlw6U1m6JtbKOO yUzhgaHzmiqeuYKtfDYbi7jBdE3Ck+dykgTjTx6wR0TP2fqd8DW0EC57G12az7Cb FbN9nkmnQ5CTAKZMBCpqtlYNz0FV6hmtFygHv9Mdj3hDjfM6l/7QcKY2WiyhLS/y 46z3SmFmTc0JGmgy006SHW16QqzNEync3P5erFMf4B0x3OPy0/UbetIo+9ilHNlQ TVNuwDGmwtfTfN4cVXvmpTgURctknzYf1poVarpIN2StADpCPXle9DH+wZpajvDc +HTLOsN2ftO+z5OyIBNhZ4r7SLqFL2FMypD76nB7Tphv0uT9IHGTRcPbyFtcGUX2 BdH92hGxzs3PJLsA+BfSeQN35adeL7279nbrd+8T5vk4lYMc8iy5fGAoOyzxhgCl xWkelj2IrePFFIgIRsbVFnv3hU8t2XJkZHDkSo3BWdmLPcxllg751vID6PHi6gWs CTb2KOgSTG86Z2WWbBqFVieMhlrFESpgOHItFnrh/aW/xLJf1qyf8yJ14ySIvRVJ u1IPV/xaLUy8ZadQvVHROkaryqEfpGvTP4lkgvmIEjO8e+RsRZZ1asDNSyDCZLn0 nMhm9w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7D0BA0898ECFE2E

Signatures

Detect Neshta Payload 15 IoCs

Processes:

resource	yara_rule
C:\odt\office2016setup.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

pid process

3988 c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
File opened (read-only)	\??\N:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\S:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\W:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\Z:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\B:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\H:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\M:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\X:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\E:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\K:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\O:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\R:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\U:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\V:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\I:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\J:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\P:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\L:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\Q:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\T:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\Y:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\A:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\F:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened (read-only)	\??\G:	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Drops file in Program Files directory 54 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exec3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File created	\??\c:\program files\di78h-readme.txt	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Drops file in Windows directory 1 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description ioc process

File opened for modification C:\Windows\svchost.com c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Modifies registry class 1 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

pid	process
3988	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
3988	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3988	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Token: SeTakeOwnershipPrivilege	3988	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
Token: SeBackupPrivilege	3212	vssvc.exe
Token: SeRestorePrivilege	3212	vssvc.exe
Token: SeAuditPrivilege	3212	vssvc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

description	pid	process	target process
PID 2464 wrote to memory of 3988	2464	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
PID 2464 wrote to memory of 3988	2464	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
PID 2464 wrote to memory of 3988	2464	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe	c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

C:\Users\Admin\AppData\Local\Temp\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
"C:\Users\Admin\AppData\Local\Temp\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3988

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

MD5
eb383ba2622bbc92f579033364dec8b6

SHA1
c0d4db214a829b85c04d8826170c19732b5932f2

SHA256
3441b194259862e3c72c9fbdf126e4a5ae5df6877d8f6c9ba875be5d0ac36f35

SHA512
7a495ebb193bade4b26fa132d65b5c7ffea5e18bb72588aed1c14ae76a648fa73980ae116d9cec698c6e8b8f24592c9a447d2eed07c9fa8bd8ba6aaf68e10528

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c3948757555796fe68e49b01f14c83215989486b5feca5c22ed970423a8fae06.exe

MD5
eb383ba2622bbc92f579033364dec8b6

SHA1
c0d4db214a829b85c04d8826170c19732b5932f2

SHA256
3441b194259862e3c72c9fbdf126e4a5ae5df6877d8f6c9ba875be5d0ac36f35

SHA512
7a495ebb193bade4b26fa132d65b5c7ffea5e18bb72588aed1c14ae76a648fa73980ae116d9cec698c6e8b8f24592c9a447d2eed07c9fa8bd8ba6aaf68e10528

Download Submit
C:\odt\office2016setup.exe

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit