neshta | 7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d

General

Target

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Size

2.4MB
MD5

ae47016cc9ce531df98e6e9da5eeb076
SHA1

ea0ed319bb94742b01a26cefb29f7fc1c8a811a4
SHA256

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d
SHA512

e694595ff92e8b8a93a3b432419b2e73e03f15ad3af1959dda7169f1884a0c025d1c422eac6548a137dbe1e847c21683579a22ec3545abf864ad5f0a3efdbc26

Score

10^/10

neshta evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

pid process

2036 7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2036-62-0x0000000002660000-0x00000000036EE000-memory.dmp	upx
behavioral1/memory/2036-71-0x0000000002660000-0x00000000036EE000-memory.dmp	upx
behavioral1/memory/1296-73-0x0000000002B10000-0x0000000003B9E000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

pid	process
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
File opened (read-only)	\??\G:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\I:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\M:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\R:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\W:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\Y:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\H:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\K:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\L:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\P:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\V:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\Z:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\J:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\N:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\O:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\Q:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\S:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\T:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\E:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\F:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened (read-only)	\??\U:	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Drops file in Windows directory 2 IoCs

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
File opened for modification	C:\Windows\svchost.com	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

pid	process
2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	pid	process
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Token: SeDebugPrivilege	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	pid	process	target process
PID 1296 wrote to memory of 2036	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 1296 wrote to memory of 2036	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 1296 wrote to memory of 2036	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 1296 wrote to memory of 2036	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 1296 wrote to memory of 2036	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 1296 wrote to memory of 2036	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 1296 wrote to memory of 2036	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 2036 wrote to memory of 1096	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 2036 wrote to memory of 1180	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 2036 wrote to memory of 1208	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 2036 wrote to memory of 1296	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 2036 wrote to memory of 1296	2036	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE
PID 1296 wrote to memory of 1096	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	taskhost.exe
PID 1296 wrote to memory of 1180	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Dwm.exe
PID 1296 wrote to memory of 1208	1296	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe	Explorer.EXE

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
"C:\Users\Admin\AppData\Local\Temp\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe"
2⤵
- Modifies firewall policy service
- Modifies system executable filetype association
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1296

C:\Users\Admin\AppData\Local\Temp\3582-490\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2036

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Change Default File Association

1

T1042

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
MD5
7cd7b267d136ec6dcc9d7152f5c2eada

SHA1
0bb1cf210a03b93bb54bbfce35b652dcb2626264

SHA256
3f015bc2f53bb9e381ee9473fb9984fbf23b583f5b241e9582da70cff97eb6db

SHA512
10f15b466673b062f529adf61fa94ef1519589c6367b88a9d194adf707712b228d5136441facfac9bacc833f9884e623bf23ce9689c8ac08531b0a3a4d3cb640

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
MD5
7cd7b267d136ec6dcc9d7152f5c2eada

SHA1
0bb1cf210a03b93bb54bbfce35b652dcb2626264

SHA256
3f015bc2f53bb9e381ee9473fb9984fbf23b583f5b241e9582da70cff97eb6db

SHA512
10f15b466673b062f529adf61fa94ef1519589c6367b88a9d194adf707712b228d5136441facfac9bacc833f9884e623bf23ce9689c8ac08531b0a3a4d3cb640

Download Submit
C:\Windows\SYSTEM.INI
MD5
a395e2ad9f7cc4af857260c179cd1d71

SHA1
ff0c9900d0a4ec4401bedbca9b5974e5d21d1462

SHA256
73e1524e7a78925076acd2b6c82dc385c3d982a76f1f9fbe64ee9be93181a7e6

SHA512
4e814220a9ec82cfb905a8581dbd0072389aec2656ad5f9eb570fc9b3f73b8539361eecc8b20a85af939b5f1f2fb06f5d1ca2fca709836c6d58b2b05e385907d

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
MD5
7cd7b267d136ec6dcc9d7152f5c2eada

SHA1
0bb1cf210a03b93bb54bbfce35b652dcb2626264

SHA256
3f015bc2f53bb9e381ee9473fb9984fbf23b583f5b241e9582da70cff97eb6db

SHA512
10f15b466673b062f529adf61fa94ef1519589c6367b88a9d194adf707712b228d5136441facfac9bacc833f9884e623bf23ce9689c8ac08531b0a3a4d3cb640

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
MD5
7cd7b267d136ec6dcc9d7152f5c2eada

SHA1
0bb1cf210a03b93bb54bbfce35b652dcb2626264

SHA256
3f015bc2f53bb9e381ee9473fb9984fbf23b583f5b241e9582da70cff97eb6db

SHA512
10f15b466673b062f529adf61fa94ef1519589c6367b88a9d194adf707712b228d5136441facfac9bacc833f9884e623bf23ce9689c8ac08531b0a3a4d3cb640

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
MD5
7cd7b267d136ec6dcc9d7152f5c2eada

SHA1
0bb1cf210a03b93bb54bbfce35b652dcb2626264

SHA256
3f015bc2f53bb9e381ee9473fb9984fbf23b583f5b241e9582da70cff97eb6db

SHA512
10f15b466673b062f529adf61fa94ef1519589c6367b88a9d194adf707712b228d5136441facfac9bacc833f9884e623bf23ce9689c8ac08531b0a3a4d3cb640

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\7677f02eba76f2cf42d55ef859b22976d79db2de3c67f613b8054b13f43fb08d.exe
MD5
7cd7b267d136ec6dcc9d7152f5c2eada

SHA1
0bb1cf210a03b93bb54bbfce35b652dcb2626264

SHA256
3f015bc2f53bb9e381ee9473fb9984fbf23b583f5b241e9582da70cff97eb6db

SHA512
10f15b466673b062f529adf61fa94ef1519589c6367b88a9d194adf707712b228d5136441facfac9bacc833f9884e623bf23ce9689c8ac08531b0a3a4d3cb640

Download Submit
memory/1096-63-0x0000000001B40000-0x0000000001B42000-memory.dmp

Filesize
8KB

Download
memory/1296-67-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1296-73-0x0000000002B10000-0x0000000003B9E000-memory.dmp

Filesize
16.6MB

Download
memory/1296-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1296-96-0x0000000002730000-0x000000000298D000-memory.dmp

Filesize
2.4MB

Download
memory/1296-97-0x00000000024F0000-0x000000000313A000-memory.dmp

Filesize
12.3MB

Download
memory/1296-98-0x00000000003B0000-0x00000000003B2000-memory.dmp

Filesize
8KB

Download
memory/1296-99-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2036-70-0x0000000001000000-0x000000000125D000-memory.dmp

Filesize
2.4MB

Download
memory/2036-71-0x0000000002660000-0x00000000036EE000-memory.dmp

Filesize
16.6MB

Download
memory/2036-62-0x0000000002660000-0x00000000036EE000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads