neshta | a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9 | Triage

Analysis

max time kernel
161s
max time network
169s
platform
windows7_x64
resource
win7-en-20211208
submitted
12-02-2022 00:25

Sharing

Report Analysis Logs

General

Target

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
Size

1.3MB
MD5

08676a0eaff0dc145df83c6e8da85920
SHA1

729bfe1fcc9a31ee58ca56b7cc702b035838cb76
SHA256

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9
SHA512

f80c3723a881de1317dfffabed8e07886651d8e6aa46b622562a4e726924bf7809e2101ed40e2316339067608febb6a2cf49a116a0cca791d9aea3afcf3e553e

Score

10^/10

neshta evasion persistence ransomware spyware

Malware Config

Extracted

Path

C:\Read-this.txt

Ransom Note

All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ or in Your other Drives and send us prvkey.txt.key file 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email:[email protected] in Case of no Answer:[email protected]

Emails

Email:[email protected]

Answer:[email protected]

Signatures

Detect Neshta Payload 4 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	family_neshta
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

Modify Registry

Change Default File Association

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

pid process

1644 a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

pid process

1772 a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Drops file in Program Files directory 64 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\it.pak	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\mr.pak.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\sonicsptransform.ax	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ta.pak	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\SyncRevoke.wmf.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\SplitRestart.tif.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_scene.wmv	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\da.pak.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fil.pak.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nl.pak	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.[[email protected]][MJ-OY6014289357].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\Pipeline.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\drive.crx	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\SyncRevoke.wmf	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Drops file in Windows directory 1 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description ioc process

File opened for modification C:\Windows\svchost.com a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

NTFS ADS 1 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-2329389628-4064185017-3901522362-1000\desk\8:ˈ\ˈ\ ¢ˈ\ª¬ˈ\´¶󬋈\¾À􃋈\ÈÊ𚋈\ÒÔ풄ˈ\ÜÞ탠ˈ	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

pid	process
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exea76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1772 wrote to memory of 1644	1772	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
PID 1772 wrote to memory of 1644	1772	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
PID 1772 wrote to memory of 1644	1772	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
PID 1772 wrote to memory of 1644	1772	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
PID 1644 wrote to memory of 664	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 664	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 664	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 664	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 664 wrote to memory of 1436	664	cmd.exe	net.exe
PID 664 wrote to memory of 1436	664	cmd.exe	net.exe
PID 664 wrote to memory of 1436	664	cmd.exe	net.exe
PID 664 wrote to memory of 1436	664	cmd.exe	net.exe
PID 1436 wrote to memory of 1680	1436	net.exe	net1.exe
PID 1436 wrote to memory of 1680	1436	net.exe	net1.exe
PID 1436 wrote to memory of 1680	1436	net.exe	net1.exe
PID 1436 wrote to memory of 1680	1436	net.exe	net1.exe
PID 1644 wrote to memory of 1264	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1264	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1264	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1264	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 2036	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 2036	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 2036	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 2036	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 928	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 928	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 928	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 928	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1072	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1072	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1072	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1072	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1072 wrote to memory of 1076	1072	cmd.exe	net.exe
PID 1072 wrote to memory of 1076	1072	cmd.exe	net.exe
PID 1072 wrote to memory of 1076	1072	cmd.exe	net.exe
PID 1072 wrote to memory of 1076	1072	cmd.exe	net.exe
PID 1076 wrote to memory of 1088	1076	net.exe	net1.exe
PID 1076 wrote to memory of 1088	1076	net.exe	net1.exe
PID 1076 wrote to memory of 1088	1076	net.exe	net1.exe
PID 1076 wrote to memory of 1088	1076	net.exe	net1.exe
PID 1644 wrote to memory of 1056	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1056	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1056	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1056	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1056 wrote to memory of 1496	1056	cmd.exe	net.exe
PID 1056 wrote to memory of 1496	1056	cmd.exe	net.exe
PID 1056 wrote to memory of 1496	1056	cmd.exe	net.exe
PID 1056 wrote to memory of 1496	1056	cmd.exe	net.exe
PID 1496 wrote to memory of 1456	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1456	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1456	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1456	1496	net.exe	net1.exe
PID 1644 wrote to memory of 1836	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1836	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1836	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1644 wrote to memory of 1836	1644	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1836 wrote to memory of 1392	1836	cmd.exe	net.exe
PID 1836 wrote to memory of 1392	1836	cmd.exe	net.exe
PID 1836 wrote to memory of 1392	1836	cmd.exe	net.exe
PID 1836 wrote to memory of 1392	1836	cmd.exe	net.exe
PID 1392 wrote to memory of 1572	1392	net.exe	net1.exe
PID 1392 wrote to memory of 1572	1392	net.exe	net1.exe
PID 1392 wrote to memory of 1572	1392	net.exe	net1.exe
PID 1392 wrote to memory of 1572	1392	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
"C:\Users\Admin\AppData\Local\Temp\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\net.exe
net stop MSDTC
4⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
5⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
3⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
4⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
5⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\net.exe
net stop vds
4⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
5⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
3⤵
PID:1556

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
3⤵
PID:1912

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
4⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
3⤵
PID:1172

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
4⤵
PID:1516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
5⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
3⤵
PID:1620

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
4⤵
PID:944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
5⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
PID:800

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
PID:1400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
3⤵
PID:1680

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
4⤵
PID:860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
5⤵
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
MD5
b2632c9ded83883e3bd25a86d2ab2ac3

SHA1
c1b49a2dd32e215b605ea41583d4ebc9b59d11aa

SHA256
b627bb5f0ba69fd52bcf71c4c4d1977d43657bd257d5e583d15a56ec1dd942c1

SHA512
04bb2a6937ad6cc6de6d40ef60c2950e7b3b10fe08fed6eea2d2fc97fd96b6a59187aa802c45209566546afd7cb49baf006a8275f4022848d710038ff4e05d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
MD5
b2632c9ded83883e3bd25a86d2ab2ac3

SHA1
c1b49a2dd32e215b605ea41583d4ebc9b59d11aa

SHA256
b627bb5f0ba69fd52bcf71c4c4d1977d43657bd257d5e583d15a56ec1dd942c1

SHA512
04bb2a6937ad6cc6de6d40ef60c2950e7b3b10fe08fed6eea2d2fc97fd96b6a59187aa802c45209566546afd7cb49baf006a8275f4022848d710038ff4e05d43

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
MD5
b2632c9ded83883e3bd25a86d2ab2ac3

SHA1
c1b49a2dd32e215b605ea41583d4ebc9b59d11aa

SHA256
b627bb5f0ba69fd52bcf71c4c4d1977d43657bd257d5e583d15a56ec1dd942c1

SHA512
04bb2a6937ad6cc6de6d40ef60c2950e7b3b10fe08fed6eea2d2fc97fd96b6a59187aa802c45209566546afd7cb49baf006a8275f4022848d710038ff4e05d43

Download Submit
memory/1772-55-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download