neshta | a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9

General

Target

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
Size

1.3MB
MD5

08676a0eaff0dc145df83c6e8da85920
SHA1

729bfe1fcc9a31ee58ca56b7cc702b035838cb76
SHA256

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9
SHA512

f80c3723a881de1317dfffabed8e07886651d8e6aa46b622562a4e726924bf7809e2101ed40e2316339067608febb6a2cf49a116a0cca791d9aea3afcf3e553e

Score

10^/10

neshta evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Read-this.txt

Ransom Note

All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ or in Your other Drives and send us prvkey.txt.key file 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email:[email protected] in Case of no Answer:[email protected]

Emails

Email:[email protected]

Answer:[email protected]

Signatures

Detect Neshta Payload 1 IoCs

Processes:

resource	yara_rule
C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\A76599~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

pid process

4960 a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 5 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\desktop.ini	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Drops file in Program Files directory 64 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-environment-l1-1-0.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grouping.Base.dll.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v11.1.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square44x44Logo.scale-125.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-io.xml	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-125.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jpeg.dll.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\SendEnter.lock	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT632.CNV	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dll.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\eula.dll.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.[[email protected]][MJ-PA8093765412].robin	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-black_scale-125.png	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Drops file in Windows directory 7 IoCs

Processes:

svchost.exea76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\svchost.com	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

NTFS ADS 5 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\局òsk8:孨ò	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-34:㨀240568-4147300184-10\ǳՉ䰀儀òø\+Ȁ즸îՉ䰀ǳȁ̀豻瞜힩胆	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\冐òsk8:剨ò	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:叐ò	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:妸ò	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

pid	process
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3732	svchost.exe
Token: SeCreatePagefilePrivilege	3732	svchost.exe
Token: SeShutdownPrivilege	3732	svchost.exe
Token: SeCreatePagefilePrivilege	3732	svchost.exe
Token: SeShutdownPrivilege	3732	svchost.exe
Token: SeCreatePagefilePrivilege	3732	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exea76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 4960	1948	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
PID 1948 wrote to memory of 4960	1948	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
PID 1948 wrote to memory of 4960	1948	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
PID 4960 wrote to memory of 4292	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 4292	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 4292	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4292 wrote to memory of 4288	4292	cmd.exe	net.exe
PID 4292 wrote to memory of 4288	4292	cmd.exe	net.exe
PID 4292 wrote to memory of 4288	4292	cmd.exe	net.exe
PID 4288 wrote to memory of 1312	4288	net.exe	net1.exe
PID 4288 wrote to memory of 1312	4288	net.exe	net1.exe
PID 4288 wrote to memory of 1312	4288	net.exe	net1.exe
PID 4960 wrote to memory of 1552	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 1552	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 1552	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 1880	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 1880	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 1880	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 2436	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 2436	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 2436	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 3168	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 3168	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 3168	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 3168 wrote to memory of 864	3168	cmd.exe	net.exe
PID 3168 wrote to memory of 864	3168	cmd.exe	net.exe
PID 3168 wrote to memory of 864	3168	cmd.exe	net.exe
PID 864 wrote to memory of 2704	864	net.exe	net1.exe
PID 864 wrote to memory of 2704	864	net.exe	net1.exe
PID 864 wrote to memory of 2704	864	net.exe	net1.exe
PID 4960 wrote to memory of 5092	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 5092	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 5092	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 5092 wrote to memory of 4080	5092	cmd.exe	net.exe
PID 5092 wrote to memory of 4080	5092	cmd.exe	net.exe
PID 5092 wrote to memory of 4080	5092	cmd.exe	net.exe
PID 4080 wrote to memory of 3440	4080	net.exe	net1.exe
PID 4080 wrote to memory of 3440	4080	net.exe	net1.exe
PID 4080 wrote to memory of 3440	4080	net.exe	net1.exe
PID 4960 wrote to memory of 4408	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 4408	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 4408	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4408 wrote to memory of 4068	4408	cmd.exe	net.exe
PID 4408 wrote to memory of 4068	4408	cmd.exe	net.exe
PID 4408 wrote to memory of 4068	4408	cmd.exe	net.exe
PID 4068 wrote to memory of 4260	4068	net.exe	net1.exe
PID 4068 wrote to memory of 4260	4068	net.exe	net1.exe
PID 4068 wrote to memory of 4260	4068	net.exe	net1.exe
PID 4960 wrote to memory of 4828	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 4828	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 4828	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4828 wrote to memory of 3380	4828	cmd.exe	netsh.exe
PID 4828 wrote to memory of 3380	4828	cmd.exe	netsh.exe
PID 4828 wrote to memory of 3380	4828	cmd.exe	netsh.exe
PID 4960 wrote to memory of 1040	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 1040	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 1040	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 1040 wrote to memory of 1884	1040	cmd.exe	netsh.exe
PID 1040 wrote to memory of 1884	1040	cmd.exe	netsh.exe
PID 1040 wrote to memory of 1884	1040	cmd.exe	netsh.exe
PID 4960 wrote to memory of 3460	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 3460	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 4960 wrote to memory of 3460	4960	a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe	cmd.exe
PID 3460 wrote to memory of 4508	3460	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
"C:\Users\Admin\AppData\Local\Temp\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\net.exe
net stop MSDTC
4⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
5⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
3⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
4⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
5⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\net.exe
net stop vds
4⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
5⤵
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
3⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
3⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
4⤵
PID:4508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
5⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
3⤵
PID:3924

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
4⤵
PID:5072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
5⤵
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
PID:3180

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
PID:2360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
3⤵
PID:3464

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
4⤵
PID:3552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
5⤵
PID:4924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\A76599~1.EXE
MD5
08676a0eaff0dc145df83c6e8da85920

SHA1
729bfe1fcc9a31ee58ca56b7cc702b035838cb76

SHA256
a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9

SHA512
f80c3723a881de1317dfffabed8e07886651d8e6aa46b622562a4e726924bf7809e2101ed40e2316339067608febb6a2cf49a116a0cca791d9aea3afcf3e553e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
MD5
b2632c9ded83883e3bd25a86d2ab2ac3

SHA1
c1b49a2dd32e215b605ea41583d4ebc9b59d11aa

SHA256
b627bb5f0ba69fd52bcf71c4c4d1977d43657bd257d5e583d15a56ec1dd942c1

SHA512
04bb2a6937ad6cc6de6d40ef60c2950e7b3b10fe08fed6eea2d2fc97fd96b6a59187aa802c45209566546afd7cb49baf006a8275f4022848d710038ff4e05d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9.exe
MD5
b2632c9ded83883e3bd25a86d2ab2ac3

SHA1
c1b49a2dd32e215b605ea41583d4ebc9b59d11aa

SHA256
b627bb5f0ba69fd52bcf71c4c4d1977d43657bd257d5e583d15a56ec1dd942c1

SHA512
04bb2a6937ad6cc6de6d40ef60c2950e7b3b10fe08fed6eea2d2fc97fd96b6a59187aa802c45209566546afd7cb49baf006a8275f4022848d710038ff4e05d43

Download Submit
C:\odt\office2016setup.exe
MD5
b43488bb0d0ce18aa996cd08ca051f09

SHA1
6b098bdec85b268f6237e47e3074c2632048b99c

SHA256
dc621c473864955e182fa8cb8b54fc443355c0925a5dd1a36c6c60ade4b9e695

SHA512
9835797567ffc5d48d57cf30ebd2215d97de54094f9894af6139d105e2d54d55e40646cd8a62f3dd678ad9395fdd0bf1f8a2c38451ea677fa5bcb65831f636fc

Download Submit
memory/3732-133-0x000002DDE5730000-0x000002DDE5740000-memory.dmp

Filesize
64KB

Download
memory/3732-134-0x000002DDE5790000-0x000002DDE57A0000-memory.dmp

Filesize
64KB

Download
memory/3732-135-0x000002DDE8490000-0x000002DDE8494000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads