neshta | 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59

General

Target

359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
Size

112KB
MD5

8b7611f961f0e2654905ef70c64643d8
SHA1

6179240e198d9cb07b2703be0b725f852303cc97
SHA256

359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59
SHA512

708e2ba0d0703e0b392654f928b9c0f478d86a60be9568a0bc9bb080a21ee32fed24d8cdedfe1c6e6651918af6d13a0f23e730c40ae038448d99bcf728195737

Score

10^/10

neshta evasion persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe

pid process

1944 359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1944	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~2.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~3.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{A9F77~1\EDGEMI~1.TMP\setup.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\msedge.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\BHO\IE_TO_~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\ELEVAT~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\PWAHEL~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe

Drops file in Windows directory 7 IoCs

Processes:

359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

reg.exe359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff\ = "╣µ╚¡║« ╗τ┐δ ╛╚╟╘"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff\Icon = "C:\\Windows\\system32\\imageres.dll,101"	reg.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2440	svchost.exe
Token: SeCreatePagefilePrivilege	2440	svchost.exe
Token: SeShutdownPrivilege	2440	svchost.exe
Token: SeCreatePagefilePrivilege	2440	svchost.exe
Token: SeShutdownPrivilege	2440	svchost.exe
Token: SeCreatePagefilePrivilege	2440	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.execmd.execmd.exe

description	pid	process	target process
PID 3588 wrote to memory of 1944	3588	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
PID 3588 wrote to memory of 1944	3588	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
PID 3588 wrote to memory of 1944	3588	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
PID 1944 wrote to memory of 2284	1944	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe	cmd.exe
PID 1944 wrote to memory of 2284	1944	359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe	cmd.exe
PID 2284 wrote to memory of 4392	2284	cmd.exe	cmd.exe
PID 2284 wrote to memory of 4392	2284	cmd.exe	cmd.exe
PID 4392 wrote to memory of 1292	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 1292	4392	cmd.exe	reg.exe
PID 2284 wrote to memory of 4788	2284	cmd.exe	netsh.exe
PID 2284 wrote to memory of 4788	2284	cmd.exe	netsh.exe
PID 2284 wrote to memory of 1200	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 1200	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 2704	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 2704	2284	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
"C:\Users\Admin\AppData\Local\Temp\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B9D7.tmp\B9D8.bat C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall
4⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall
5⤵
PID:1292

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state on
4⤵
PID:4788

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff" /v "Icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll,101" /f
4⤵
- Modifies registry class
PID:1200

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Classes\Directory\background\shell\FirewallOnOff" /ve /t REG_SZ /d "╣µ╚¡║« ╗τ┐δ ╛╚╟╘" /f
4⤵
- Modifies registry class
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
MD5
4c7f6c95f09cad4461bd307a2c66d3f8

SHA1
add6f61d5490c5873872d313b8d0486ec08c3ed7

SHA256
a3e6aa14ac199c4c051c2646a15bb1d6b6fdfc53afde6b0c43886d2b21e35927

SHA512
3e0310da9041f6ecb8f3f12fd08076def65b4c9bdf14b48701d0c297571180f844d6c71d4c943eade5a4ad877ae471758584576c93188476ea92b3c313429da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\359b201b01aee5f412ec6a65e9504a70459ebbe77ebfdb6eb37b42651d6c7c59.exe
MD5
4c7f6c95f09cad4461bd307a2c66d3f8

SHA1
add6f61d5490c5873872d313b8d0486ec08c3ed7

SHA256
a3e6aa14ac199c4c051c2646a15bb1d6b6fdfc53afde6b0c43886d2b21e35927

SHA512
3e0310da9041f6ecb8f3f12fd08076def65b4c9bdf14b48701d0c297571180f844d6c71d4c943eade5a4ad877ae471758584576c93188476ea92b3c313429da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9D7.tmp\B9D8.bat
MD5
0eb9a79994c76138fede24c947c5b616

SHA1
4953b14a02ebd61c7f112e1be2f5befa41d82ca6

SHA256
eb9a37341edc21ca2e5c199637269425d978ca3b41ae23d6486cd125204e0cca

SHA512
b106115e734afc090645092effec1015f051d394897ca584601a5a6960686e7046021fde7ec94555fc3c4c3c42f59b81b2920e665e87b231bbe74e64aa4dea27

Download Submit
memory/2440-137-0x000001E482390000-0x000001E4823A0000-memory.dmp

Filesize
64KB

Download
memory/2440-144-0x000001E485770000-0x000001E485774000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads