Analysis Overview
SHA256
2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c
Threat Level: Known bad
The file 2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c was found to be: Known bad.
Malicious Activity Summary
Detect Neshta Payload
Neshta family
Sodinokibi/Revil sample
Sodinokibi family
Modifies system executable filetype association
Neshta
Sodin,Sodinokibi,REvil
Deletes shadow copies
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-30 07:55
Signatures
Detect Neshta Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Sodinokibi family
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-30 07:55
Reported
2022-01-30 13:08
Platform
win7-en-20211208
Max time kernel
140s
Max time network
128s
Command Line
Signatures
Detect Neshta Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
Neshta
Sodin,Sodinokibi,REvil
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmpconfig.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~1\WinMail.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\sidebar.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~1\wabmig.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\WMPDMC.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\setup_wm.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~1\wab.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE | C:\Windows\svchost.com | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_c8514sys.fon_a088232f | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga40857.fon_2c8aa2e4 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b5fa959a738d6d74_auditpol.exe.mui_df4767d7 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_23376bf5921e7b63_adtschema.dll_4cae41ac | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed_31bf3856ad364e35_6.1.7600.16385_none_b7e7d4f746c595bb.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2403bfdae4c06f52.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_099d2ebabfe3f476.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_hvgafix.fon_bf27df1c | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_03baba203715d388.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-857_31bf3856ad364e35_6.1.7600.16385_none_2adc8eeeb4e35a81.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0eb241dcc51f079_adtschema.dll.mui_208d0981 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_00e51c7022323f45_winscard.dll.mui_4a82d97e | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05194bb98bbf5a4b.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79_advapi32.dll.mui_28c7718f | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_6.1.7600.16385_none_5e96e36b42806ee7_psapi.dll_e8b5b4d1 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_de-de_fc571f848681e778_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ive-blackbox-loader_31bf3856ad364e35_6.1.7600.16385_none_c72819e06acceb59.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4af06e370b1b5ceb_shsvcs.dll.mui_b69fccab | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e8b9b6cce3abf5f.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_51f0750cff4cb31b_explorerframe.dll.mui_074caeb5 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_a7c5fb6de18360b8_msimsg.dll.mui_72e8994f | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8dccb238c9862b1_netrast.inf_loc_12f4e177 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7601.17514_none_a2347d4102a4c8ad_winipsec.dll_abfff1a2 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f1983bb066c54ad2.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_en-us_577a0ea6c6dbb377.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..s-runtime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_04c230df23c2abfe.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_en-us_243862f6e4997dad_activeds.dll.mui_67414db4 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.1.7601.17514_none_e4433b761c0c84cd_tcpipreg.sys_e872d013 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_bg-bg_f3d7d28457fd7dfc_mlang.dll.mui_2904864a | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dba340d7365a2c01_slc.dll.mui_dc24f809 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d0b77acd0b184bdb.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1474adc65759a4dd_ole32.dll.mui_5035d60a | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_953f0977fbbe9530_sppc.dll.mui_0a75786d | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bae2a13a05218d0f_advapi32.dll.mui_28c7718f | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_edf33f857603a056_wshtcpip.dll.mui_042165f9 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a97b93f9db5cdfdd_certenrollctrl.exe.mui_3b48c5a6 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_654443034cacf513.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c067cb47e93eb5ab_serialui.dll.mui_7d29d2a3 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9c303c8bce24ecf.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-acproxy_31bf3856ad364e35_6.1.7600.16385_none_520444733f7b8add.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fdd12afe0656af56_vds.exe.mui_2268d934 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itss.dll_f5d929eb | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a615764d5644890.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00887df2a19c65d6.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.1.7601.17514_none_ef6d8ddb4eff2674.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d40b16d89404e928.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1820774de6bd4d16_perfd.dat_f1e3dfd2 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_bb31595d11a5d311.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_110e6e4fc133c766.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0a2cb448d58b3a35_keyiso.dll.mui_4bbf12ff | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..uetype-malgungothic_31bf3856ad364e35_6.1.7600.16385_none_6144d01edfdac19c.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_6.1.7601.17514_none_07f91de77125e78d_dciman32.dll_a41dd515 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6d89a9aa5ed31424.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcp60_31bf3856ad364e35_6.1.7600.16385_none_4277eab412b31810_msvcp60.dll_d804e509 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c08b90a4bb1ab825_spp.dll.mui_42138158 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_402dac258d03220a_scesrv.dll.mui_c6e979b7 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5588b35e1b8aed89_dhcpcsvc6.dll.mui_b45c7567 | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bf44ea0282c54ebb.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_de-de_86a905149145b37c.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\x86_microsoft-windows-webservices_31bf3856ad364e35_6.1.7601.17514_none_1083c2248cf458dd.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_6.1.7601.17514_none_3b28c7719cc8612d.manifest | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
"C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/868-54-0x0000000075761000-0x0000000075763000-memory.dmp
\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
| MD5 | e62c896825a6d186f34fb16b1f57490a |
| SHA1 | 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d |
| SHA256 | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63 |
| SHA512 | 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab |
\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
| MD5 | e62c896825a6d186f34fb16b1f57490a |
| SHA1 | 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d |
| SHA256 | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63 |
| SHA512 | 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab |
C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
| MD5 | e62c896825a6d186f34fb16b1f57490a |
| SHA1 | 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d |
| SHA256 | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63 |
| SHA512 | 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab |
C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
| MD5 | e62c896825a6d186f34fb16b1f57490a |
| SHA1 | 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d |
| SHA256 | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63 |
| SHA512 | 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab |
\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
| MD5 | e62c896825a6d186f34fb16b1f57490a |
| SHA1 | 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d |
| SHA256 | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63 |
| SHA512 | 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab |
C:\Windows\svchost.com
| MD5 | 36fd5e09c417c767a952b4609d73a54b |
| SHA1 | 299399c5a2403080a5bf67fb46faec210025b36d |
| SHA256 | 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2 |
| SHA512 | 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92 |
C:\Windows\svchost.com
| MD5 | 36fd5e09c417c767a952b4609d73a54b |
| SHA1 | 299399c5a2403080a5bf67fb46faec210025b36d |
| SHA256 | 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2 |
| SHA512 | 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92 |
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
| MD5 | 02ee6a3424782531461fb2f10713d3c1 |
| SHA1 | b581a2c365d93ebb629e8363fd9f69afc673123f |
| SHA256 | ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc |
| SHA512 | 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec |
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | cf6c595d3e5e9667667af096762fd9c4 |
| SHA1 | 9bb44da8d7f6457099cb56e4f7d1026963dce7ce |
| SHA256 | 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d |
| SHA512 | ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80 |
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
| MD5 | 566ed4f62fdc96f175afedd811fa0370 |
| SHA1 | d4b47adc40e0d5a9391d3f6f2942d1889dd2a451 |
| SHA256 | e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460 |
| SHA512 | cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7 |
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
| MD5 | 58b58875a50a0d8b5e7be7d6ac685164 |
| SHA1 | 1e0b89c1b2585c76e758e9141b846ed4477b0662 |
| SHA256 | 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae |
| SHA512 | d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b |
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
| MD5 | 3ec4922dbca2d07815cf28144193ded9 |
| SHA1 | 75cda36469743fbc292da2684e76a26473f04a6d |
| SHA256 | 0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801 |
| SHA512 | 956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7 |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE
| MD5 | e584c29c854081c78a366fbcc6f7f84c |
| SHA1 | 32b7e552e5916b43d57d7b088c543b77f1067338 |
| SHA256 | b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450 |
| SHA512 | c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
| MD5 | ea78ed9e7eb4cc64544163627476fe4b |
| SHA1 | 67aed91a59742a36c0ff635b15c692cde3eb3a9d |
| SHA256 | d5adfd6c8160892716ad5f2907cc66888aee97e1d296404503e1d42dd30ba562 |
| SHA512 | eeee54e5ffbd243fe7ef6c93744c754bc238e5b05e85c7ca3b25edc02a8692cd10225edff40444fe2536608d0ed25578573e309503cb8f90f43d089d86f8710f |
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
| MD5 | ad0efa1df844814c2e8ddc188cb0e3b5 |
| SHA1 | b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab |
| SHA256 | c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a |
| SHA512 | 532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520 |
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
| MD5 | fafb18b930b2b05ac8c5ddb988e9062f |
| SHA1 | 825ea5069601fb875f8d050aa01300eac03d3826 |
| SHA256 | c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265 |
| SHA512 | be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54 |
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE
| MD5 | 8acc19705a625e2d4fa8b65214d7070a |
| SHA1 | ad16e49369c76c6826a18d136bf9618e8e99ec12 |
| SHA256 | 3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12 |
| SHA512 | 92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec |
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
| MD5 | f6a22f14c24ebf585de5cb4b0e17f04d |
| SHA1 | bde9818b34419e48d69babc456c56248a96f8b41 |
| SHA256 | 95454dbadfc97962e824e8ac976feb586d058170ad922e093f77752efb7ba077 |
| SHA512 | 1d516979e497f857886b9be19a5add61a2aa1da3fe47f207a013ed6e6c4f66ba3a763428651d397dbadb9f48747f7767682758e80738bcc81295505705be0575 |
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
| MD5 | 3e8de969e12cd5e6292489a12a9834b6 |
| SHA1 | 285b89585a09ead4affa32ecaaa842bc51d53ad5 |
| SHA256 | 7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf |
| SHA512 | b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e |
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
| MD5 | f6636e7fd493f59a5511f08894bba153 |
| SHA1 | 3618061817fdf1155acc0c99b7639b30e3b6936c |
| SHA256 | 61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33 |
| SHA512 | bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-30 07:55
Reported
2022-01-30 13:09
Platform
win10-en-20211208
Max time kernel
155s
Max time network
153s
Command Line
Signatures
Detect Neshta Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
Neshta
Sodin,Sodinokibi,REvil
Sodinokibi/Revil sample
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\setup_wm.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmprph.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmpconfig.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\WinMail.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmpshare.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmlaunch.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmpconfig.exe | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Windows\svchost.com | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
"C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
| MD5 | e62c896825a6d186f34fb16b1f57490a |
| SHA1 | 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d |
| SHA256 | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63 |
| SHA512 | 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab |
C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
| MD5 | e62c896825a6d186f34fb16b1f57490a |
| SHA1 | 3287ff1b9d6256bcd31567c97e90a9bc89cd4f2d |
| SHA256 | 08542ea965f7ac97c90635444860c5d35a8e8e81c7edf3ddbf6c1736a8c61b63 |
| SHA512 | 1c8e60da15ce4dacfc4f4a8fe3c90c3f37034a1333198e834c6924a15b35afb215dbf77361d3547cc254c16e3c8d289df639d174f569d0389307906cc3c3e7ab |
C:\Windows\svchost.com
| MD5 | 36fd5e09c417c767a952b4609d73a54b |
| SHA1 | 299399c5a2403080a5bf67fb46faec210025b36d |
| SHA256 | 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2 |
| SHA512 | 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92 |
C:\Windows\svchost.com
| MD5 | 36fd5e09c417c767a952b4609d73a54b |
| SHA1 | 299399c5a2403080a5bf67fb46faec210025b36d |
| SHA256 | 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2 |
| SHA512 | 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92 |
C:\odt\OFFICE~1.EXE
| MD5 | 02c3d242fe142b0eabec69211b34bc55 |
| SHA1 | ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e |
| SHA256 | 2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842 |
| SHA512 | 0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099 |
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
| MD5 | 2a226fd810c5ce7b825ff7982bc22a0b |
| SHA1 | 58be5cb790336a8e751e91b1702a87fc0521a1d8 |
| SHA256 | af9e01dab96c2a54e2751a0d703cc55fdcc5ac00c40f0be2e13fd85c09b66132 |
| SHA512 | f122ce37b07871b88e322b0ca2e42f3170704d4165167d6d7b02883da9d2be5d2d62bdbd9f7e18d1c0c5e60e9e707a3b64ddb99150c99028333818dfa769deeb |
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
| MD5 | 3bf259392097b2c212b621a52da03706 |
| SHA1 | c740b063803008e3d4bab51b8e2719c1f4027bf9 |
| SHA256 | 79538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160 |
| SHA512 | 186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934 |
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
| MD5 | 32853955255a94fcd7587ca9cbfe2b60 |
| SHA1 | c33a88184c09e89598f0cabf68ce91c8d5791521 |
| SHA256 | 64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330 |
| SHA512 | 8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997 |
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
| MD5 | f6636e7fd493f59a5511f08894bba153 |
| SHA1 | 3618061817fdf1155acc0c99b7639b30e3b6936c |
| SHA256 | 61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33 |
| SHA512 | bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1 |
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
| MD5 | a49eb5f2ad98fffade88c1d337854f89 |
| SHA1 | 2cc197bcf3625751f7e714ac1caf8e554d0be3b1 |
| SHA256 | 99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449 |
| SHA512 | 4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593 |
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
| MD5 | 3e8de969e12cd5e6292489a12a9834b6 |
| SHA1 | 285b89585a09ead4affa32ecaaa842bc51d53ad5 |
| SHA256 | 7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf |
| SHA512 | b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e |