neshta | 55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a

Analysis

max time kernel
173s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
06-02-2022 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Size

1.6MB
MD5

c4ad102a06da79a5ded9cc07a477261d
SHA1

56d35fdc72491488a668dc14f9da84277d592391
SHA256

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a
SHA512

892a430372fd9457eb97e6cf68c588cd7d0ecd0f72fa4422aedadbcfd2889d545b6054fc87add716d013eb5a239217e9a438ef5f32db89aa0f1b1f52be2c19de

Score

10^/10

neshta evasion persistence spyware trojan

Malware Config

Signatures

Detect Neshta Payload 3 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exesvchost.com

pid process

4316 55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
4816 svchost.com

pid	process
4316	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
4816	svchost.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

Drops file in Windows directory 3 IoCs

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

pid process

4316 55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

pid	process
4316	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exesvchost.com

description	pid	process	target process
PID 2320 wrote to memory of 4316	2320	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
PID 2320 wrote to memory of 4316	2320	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
PID 2320 wrote to memory of 4316	2320	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
PID 4316 wrote to memory of 4816	4316	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe	svchost.com
PID 4316 wrote to memory of 4816	4316	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe	svchost.com
PID 4316 wrote to memory of 4816	4316	55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe	svchost.com
PID 4816 wrote to memory of 2268	4816	svchost.com	READER~1.EXE
PID 4816 wrote to memory of 2268	4816	svchost.com	READER~1.EXE
PID 4816 wrote to memory of 2268	4816	svchost.com	READER~1.EXE

C:\Users\Admin\AppData\Local\Temp\55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
"C:\Users\Admin\AppData\Local\Temp\55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\3582-490\55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4816

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
4⤵
PID:2268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\ARM\Reader_19.010.20069\AcroRdrDCUpd1901020098.msp
MD5
3404522672187ad49ad74aec689075c0

SHA1
af6b91326f443b04088cd3718b93334a7247ce1a

SHA256
0ef813051b890501283103fb2999aaa01438227b681dcf711d09c10c5846d72d

SHA512
35d47d228977ae3e77b1510e67fc082da37a39f346a23d4d5f65d91ac46ae51581ccb3c507efe6b33a8ac26af11e58ee2128f98a16ba4b1f2bf9b14e70389f18

Download Submit
C:\Users\Admin\AppData\Local\Adobe\ARM\Reader_19.010.20069\ReaderDCManifest2.msi
MD5
6f014505b038aa70695dc6557662df8b

SHA1
25607777270af2b0a38da97d8d98ab9bc7926980

SHA256
52040d7492e91856c658e4779bdc2de38a81f47e5136d9a772f4559178fbe7fc

SHA512
25c53e4b7c273b3699be727e5a6688dbfad7b6633d78d29e753bc3446b8e2b5e8c752a8842870264fe10a2b3a0246c335bea7457daa289faec67f7ca7c2aaac0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\ARM\S\ARM.msi
MD5
5c256b8910abfa6fb390b6b6986fbdc8

SHA1
f106a3257f64ff9be9314f099deae3cef5a75d52

SHA256
f0baf945e8ccda8d7ad3a5f76aa952c5b6ee1a8ce05c5e0eede9384d7b3f1bcc

SHA512
d6bae8fe0b0707a49bc54d62b508024fee0c25c2150483ba5f2608b9c4d9f75c2b3b9eea1d8feb08921cc5ff38488adc97e4d2ab167bdbd26706d562aff775af

Download Submit
C:\Users\Admin\AppData\Local\Adobe\ARM\S\ArmManifest3.msi
MD5
b6935ef524b1a039a12bd619da830fe0

SHA1
f39030ea87dabcaf46c2c59d43b7381ecf064119

SHA256
b0097ffd73d0d83cd1d81b7ffd3fe4f0e9275218630fd8d0793f20ee95985ac7

SHA512
1caf933ea5bd278c723e1478120f8b89b3acd58139a8eda8ee09c92df6c2068a9c8765b8eec9e46675bc4efe25784874d9a34d2e55c95a68fff2ca2cf7478c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
MD5
8f9a1733d2a9aea90186f7f2899fb9db

SHA1
cf6b567610932fac8a104a2efccebd7bc732d749

SHA256
5682fc04d2034c28ad7882a207407022f541e3efe80337a447ca5a3b457002af

SHA512
bb8079624a61975b1d540a85f1bf4fa5474dad32b54f9ca916548c9dcbccc7a6fdedcc5ba29f7fc6aeba01c0f41a5386f892c6b767828e016c4eb51b3ca9d69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\55a338b1d8ac98b5075c7ea83e27eb457aa0df1684fd923864020e99f7817c2a.exe
MD5
8f9a1733d2a9aea90186f7f2899fb9db

SHA1
cf6b567610932fac8a104a2efccebd7bc732d749

SHA256
5682fc04d2034c28ad7882a207407022f541e3efe80337a447ca5a3b457002af

SHA512
bb8079624a61975b1d540a85f1bf4fa5474dad32b54f9ca916548c9dcbccc7a6fdedcc5ba29f7fc6aeba01c0f41a5386f892c6b767828e016c4eb51b3ca9d69c

Download Submit
C:\Windows\svchost.com
MD5
d1499f582a63bc6e26debc4d6c439773

SHA1
efff51429486363749484600cab910c0768e85a9

SHA256
8005691f4eff8d78f866243532f583826a4c2bdd009eab278c60ef64fc260209

SHA512
eadfee975290db3474ec669c83f98f974fe19d85873a4d5344a467ffaf2f689f538152dca598cb246a323a988a2ee9198543d8950bdba59c710c4f2efc412fca

Download Submit
C:\Windows\svchost.com
MD5
d1499f582a63bc6e26debc4d6c439773

SHA1
efff51429486363749484600cab910c0768e85a9

SHA256
8005691f4eff8d78f866243532f583826a4c2bdd009eab278c60ef64fc260209

SHA512
eadfee975290db3474ec669c83f98f974fe19d85873a4d5344a467ffaf2f689f538152dca598cb246a323a988a2ee9198543d8950bdba59c710c4f2efc412fca

Download Submit
C:\odt\OFFICE~1.EXE
MD5
3583a1dca8a996859a0f2c31fe688e78

SHA1
15e72e57b5843de75630529a0d8fc32d00b0a2e4

SHA256
c2cf6e5073cc78ca94730069c5deaebccd908d0366c46bdc14a7d1a0406929b6

SHA512
62bbb584618b005042170b12b3b37addf54036b6bed6be31f1369c8b4a05464abdd8380c5c4391287495041c4989a479b5f3e6322c4cda60b465ba9c938fa232

Download Submit