neshta | 05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337

General

Target

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
Size

251KB
MD5

3e11c823c2475c951d71893f2484dfa4
SHA1

91351132f85c8a516f5b3b41c1854ef9c87c1879
SHA256

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337
SHA512

78f615f9cc68f3f9ef7dad5a12f862feaf10202880ad55305f02304aaaa224dd8e3dbeaeb65307707e445f2d7552bbc9e73d93982633a0e6a31695f3394f42ec

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

pid process

3580 05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~2.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\msedge.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\COOKIE~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\ELEVAT~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~3.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

Drops file in Windows directory 7 IoCs

Processes:

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe

Modifies registry class 1 IoCs

Processes:

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1772	svchost.exe
Token: SeCreatePagefilePrivilege	1772	svchost.exe
Token: SeShutdownPrivilege	1772	svchost.exe
Token: SeCreatePagefilePrivilege	1772	svchost.exe
Token: SeShutdownPrivilege	1772	svchost.exe
Token: SeCreatePagefilePrivilege	1772	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

pid	process
3580	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
3580	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

description	pid	process	target process
PID 4524 wrote to memory of 3580	4524	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
PID 4524 wrote to memory of 3580	4524	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
PID 4524 wrote to memory of 3580	4524	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe	05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe

C:\Users\Admin\AppData\Local\Temp\05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
"C:\Users\Admin\AppData\Local\Temp\05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\3582-490\05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe af3793745eee221755a660b6c4b84f53 LDYsgnA3jkCrwiQahBABGA.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
MD5
041ead13017cb100159a79bde4c9a3d7

SHA1
cbf3d6a9d4f4f73904f645aaf975dcb6924f46f0

SHA256
dc4da1ddd50e050fe4e480f276c90534f4f76d8e3fb3f035afe446c25bcf5bb2

SHA512
09d97b1df521bc5ec5ede5cae84557152518e8d58e32aff30f10e8e73f0bd900ac4fe61e099478169d656bad8a085dfd9258587b7c28f901fda482ef0d9e5807

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\05a473e9c2e00a7a13a69879ba5473c4b17700c5329ca8d9ee457e763d778337.exe
MD5
041ead13017cb100159a79bde4c9a3d7

SHA1
cbf3d6a9d4f4f73904f645aaf975dcb6924f46f0

SHA256
dc4da1ddd50e050fe4e480f276c90534f4f76d8e3fb3f035afe446c25bcf5bb2

SHA512
09d97b1df521bc5ec5ede5cae84557152518e8d58e32aff30f10e8e73f0bd900ac4fe61e099478169d656bad8a085dfd9258587b7c28f901fda482ef0d9e5807

Download Submit
memory/1772-132-0x0000018BEFBA0000-0x0000018BEFBB0000-memory.dmp

Filesize
64KB

Download
memory/1772-139-0x0000018BF2920000-0x0000018BF2924000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads