neshta | 893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf

General

Target

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
Size

1.3MB
MD5

1dff6d9b042d47e9b040f8dffee2112a
SHA1

24c725042eb2a384814e8a4f2c1178be14f4c71f
SHA256

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf
SHA512

243d0e03738bfa7b9013258fda08f7eee3bd2a3aa187b01c2808956467182f0bd93ab2415c73ba9b006e2baa0f319dbb83c14c616ceb2536df8800cc5e184162

Score

10^/10

neshta evasion persistence spyware

Malware Config

Signatures

Detect Neshta Payload 1 IoCs

Processes:

resource	yara_rule
C:\odt\office2016setup.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

pid process

4576 893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\desktop.ini	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File created	C:\Program Files\desktop.ini	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

Drops file in Program Files directory 64 IoCs

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jfxmedia.dll	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.INF	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2ssv.dll	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\offfiltx.dll	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul-oob.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l1-2-0.dll	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLL	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\nio.dll	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe.[[email protected]][MJ-DZ8192430567].sckmedady	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

Drops file in Windows directory 1 IoCs

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

description ioc process

File opened for modification C:\Windows\svchost.com 893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

Modifies registry class 1 IoCs

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

NTFS ADS 5 IoCs

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:咨´	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\´sk8:뫨µ	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:唸´	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:먐µ	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:嚠´	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

pid	process
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exe

description	pid	process	target process
PID 404 wrote to memory of 4576	404	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
PID 404 wrote to memory of 4576	404	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
PID 404 wrote to memory of 4576	404	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
PID 4576 wrote to memory of 4772	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4772	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4772	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4772 wrote to memory of 1168	4772	cmd.exe	net.exe
PID 4772 wrote to memory of 1168	4772	cmd.exe	net.exe
PID 4772 wrote to memory of 1168	4772	cmd.exe	net.exe
PID 1168 wrote to memory of 4436	1168	net.exe	net1.exe
PID 1168 wrote to memory of 4436	1168	net.exe	net1.exe
PID 1168 wrote to memory of 4436	1168	net.exe	net1.exe
PID 4576 wrote to memory of 2364	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2364	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2364	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2576	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2576	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2576	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2356	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2356	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2356	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4376	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4376	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4376	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4376 wrote to memory of 4028	4376	cmd.exe	net.exe
PID 4376 wrote to memory of 4028	4376	cmd.exe	net.exe
PID 4376 wrote to memory of 4028	4376	cmd.exe	net.exe
PID 4028 wrote to memory of 4644	4028	net.exe	net1.exe
PID 4028 wrote to memory of 4644	4028	net.exe	net1.exe
PID 4028 wrote to memory of 4644	4028	net.exe	net1.exe
PID 4576 wrote to memory of 4292	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4292	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4292	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4292 wrote to memory of 3252	4292	cmd.exe	net.exe
PID 4292 wrote to memory of 3252	4292	cmd.exe	net.exe
PID 4292 wrote to memory of 3252	4292	cmd.exe	net.exe
PID 3252 wrote to memory of 3564	3252	net.exe	net1.exe
PID 3252 wrote to memory of 3564	3252	net.exe	net1.exe
PID 3252 wrote to memory of 3564	3252	net.exe	net1.exe
PID 4576 wrote to memory of 4324	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4324	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4324	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4324 wrote to memory of 1784	4324	cmd.exe	net.exe
PID 4324 wrote to memory of 1784	4324	cmd.exe	net.exe
PID 4324 wrote to memory of 1784	4324	cmd.exe	net.exe
PID 1784 wrote to memory of 2104	1784	net.exe	net1.exe
PID 1784 wrote to memory of 2104	1784	net.exe	net1.exe
PID 1784 wrote to memory of 2104	1784	net.exe	net1.exe
PID 4576 wrote to memory of 528	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 528	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 528	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 528 wrote to memory of 4120	528	cmd.exe	netsh.exe
PID 528 wrote to memory of 4120	528	cmd.exe	netsh.exe
PID 528 wrote to memory of 4120	528	cmd.exe	netsh.exe
PID 4576 wrote to memory of 4420	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4420	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 4420	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4420 wrote to memory of 632	4420	cmd.exe	netsh.exe
PID 4420 wrote to memory of 632	4420	cmd.exe	netsh.exe
PID 4420 wrote to memory of 632	4420	cmd.exe	netsh.exe
PID 4576 wrote to memory of 2192	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2192	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 4576 wrote to memory of 2192	4576	893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe	cmd.exe
PID 2192 wrote to memory of 2176	2192	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
"C:\Users\Admin\AppData\Local\Temp\893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\3582-490\893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\net.exe
net stop MSDTC
4⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
5⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
3⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
4⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
5⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\net.exe
net stop vds
4⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
5⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
3⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
3⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
4⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
4⤵
PID:2176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
5⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
3⤵
PID:2840

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
4⤵
PID:4040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
5⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
PID:1616

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
PID:1264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
3⤵
PID:4216

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
4⤵
PID:3652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
5⤵
PID:3356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
MD5
9ffac476908a5193bb7d7af600d3bdfa

SHA1
afb232a1f7e65bf7713850ed57a77cfd462f48dc

SHA256
6cd94839216439c519fa1ac4587ba29fecb0e7a87992c882b2923ae0eaf03a0d

SHA512
83f28df1cbf278edeb040b7178d865aa82317d8a762734723f45a2eb47880f1c66c6077ac4605ebd72f290306483adcd7d525b403e04f5a23c4c97527c06e14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\893b9c6d05afc9ff72c4d5239b015c40833944243c0365cd156cd37689a922cf.exe
MD5
9ffac476908a5193bb7d7af600d3bdfa

SHA1
afb232a1f7e65bf7713850ed57a77cfd462f48dc

SHA256
6cd94839216439c519fa1ac4587ba29fecb0e7a87992c882b2923ae0eaf03a0d

SHA512
83f28df1cbf278edeb040b7178d865aa82317d8a762734723f45a2eb47880f1c66c6077ac4605ebd72f290306483adcd7d525b403e04f5a23c4c97527c06e14d

Download Submit
C:\odt\office2016setup.exe
MD5
49f971ccf77f03f6f492844c6aba7b67

SHA1
f21850ec2dd60ae08bd767e144f448a01d7aa53f

SHA256
fa4eaf54fecf607c3855aff6faf888d41f4bc7aa671266c736c43caa55d213f6

SHA512
24b4270a1b4f5c4f460c86af83928480f2ea9d4a36bee1f459a2aca59209125faf8cc4f948bbf3ec3256708efa6ef4fb24bd3a7b86220f7b23508ce00173fac0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads