neshta | 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9

General

Target

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
Size

1.3MB
MD5

2140adb39cf86f635f1c2d16dbe89970
SHA1

0aa79344a9f2f0a76f522b414701a74dab070167
SHA256

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9
SHA512

29d3991345197f6d482597cfb42349737eacb339f2e77f15f625622a80347de835c5198d4d3980319e3ab63613e9d1a10a8b3558f0c71643e8d5a6bae54bfa66

Score

10^/10

neshta evasion persistence ransomware spyware

Malware Config

Extracted

Path

C:\Decryption-Guide.txt

Ransom Note

Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID :MJ-RZ5964312708 OUR Email :[email protected]

Emails

[email protected]

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

pid process

2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

description	ioc	process
File created	C:\Program Files\desktop.ini	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\desktop.ini	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File created	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

Drops file in Program Files directory 64 IoCs

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jli.dll,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jsdt.dll	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\[email protected]	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-nodes.xml	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe,(MJ-RZ5964312708)([email protected]).wixawm	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

Drops file in Windows directory 2 IoCs

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

NTFS ADS 7 IoCs

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\Ɛťsk8:Ըť	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\¸ťsk8:ܰť	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:Ҩť	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:Ƞť	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\櫐Ţsk8:枸Ţ	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\泈Ţsk8:澘Ţ	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:熐Ţ	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

pid	process
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4692 wrote to memory of 2984	4692	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
PID 4692 wrote to memory of 2984	4692	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
PID 4692 wrote to memory of 2984	4692	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
PID 2984 wrote to memory of 2832	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 2832	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 2832	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2832 wrote to memory of 5024	2832	cmd.exe	net.exe
PID 2832 wrote to memory of 5024	2832	cmd.exe	net.exe
PID 2832 wrote to memory of 5024	2832	cmd.exe	net.exe
PID 5024 wrote to memory of 2300	5024	net.exe	net1.exe
PID 5024 wrote to memory of 2300	5024	net.exe	net1.exe
PID 5024 wrote to memory of 2300	5024	net.exe	net1.exe
PID 2984 wrote to memory of 3552	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 3552	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 3552	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 4404	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 4404	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 4404	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 4876	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 4876	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 4876	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 3656	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 3656	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 3656	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 3656 wrote to memory of 3904	3656	cmd.exe	net.exe
PID 3656 wrote to memory of 3904	3656	cmd.exe	net.exe
PID 3656 wrote to memory of 3904	3656	cmd.exe	net.exe
PID 3904 wrote to memory of 4188	3904	net.exe	net1.exe
PID 3904 wrote to memory of 4188	3904	net.exe	net1.exe
PID 3904 wrote to memory of 4188	3904	net.exe	net1.exe
PID 2984 wrote to memory of 1476	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 1476	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 1476	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 1476 wrote to memory of 1308	1476	cmd.exe	net.exe
PID 1476 wrote to memory of 1308	1476	cmd.exe	net.exe
PID 1476 wrote to memory of 1308	1476	cmd.exe	net.exe
PID 1308 wrote to memory of 4384	1308	net.exe	net1.exe
PID 1308 wrote to memory of 4384	1308	net.exe	net1.exe
PID 1308 wrote to memory of 4384	1308	net.exe	net1.exe
PID 2984 wrote to memory of 804	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 804	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 804	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 804 wrote to memory of 3088	804	cmd.exe	net.exe
PID 804 wrote to memory of 3088	804	cmd.exe	net.exe
PID 804 wrote to memory of 3088	804	cmd.exe	net.exe
PID 3088 wrote to memory of 3836	3088	net.exe	net1.exe
PID 3088 wrote to memory of 3836	3088	net.exe	net1.exe
PID 3088 wrote to memory of 3836	3088	net.exe	net1.exe
PID 2984 wrote to memory of 632	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 632	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 632	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 632 wrote to memory of 2000	632	cmd.exe	netsh.exe
PID 632 wrote to memory of 2000	632	cmd.exe	netsh.exe
PID 632 wrote to memory of 2000	632	cmd.exe	netsh.exe
PID 2984 wrote to memory of 2492	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 2492	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 2492	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2492 wrote to memory of 2592	2492	cmd.exe	netsh.exe
PID 2492 wrote to memory of 2592	2492	cmd.exe	netsh.exe
PID 2492 wrote to memory of 2592	2492	cmd.exe	netsh.exe
PID 2984 wrote to memory of 5028	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 5028	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 2984 wrote to memory of 5028	2984	7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe	cmd.exe
PID 5028 wrote to memory of 1492	5028	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
"C:\Users\Admin\AppData\Local\Temp\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\3582-490\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\net.exe
net stop MSDTC
4⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
5⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
3⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
4⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
5⤵
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\net.exe
net stop vds
4⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
5⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
3⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
3⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
4⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
4⤵
PID:1492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
5⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
3⤵
PID:3992

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
4⤵
PID:1060

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
5⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
3⤵
PID:1276

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
4⤵
PID:4820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
5⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
3⤵
PID:3016

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
4⤵
PID:4832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
5⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
MD5
d18aad284f150b7eeaeabfb6b033563f

SHA1
0ef010f14a8692082ccd94b786cf5f93bc5f2e12

SHA256
85bae053b7c9561837e65e1f5d5b02f5cabb63fdd544d62e743fd291daa965c2

SHA512
359946d43f186224e881e873fb1f35ac1856ad9ffcdc1ad73f71bcc5c1403b07ca6d56114c859f088138d180635e70ba669abe0a4183e746cfadbfa2bde67807

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
MD5
d18aad284f150b7eeaeabfb6b033563f

SHA1
0ef010f14a8692082ccd94b786cf5f93bc5f2e12

SHA256
85bae053b7c9561837e65e1f5d5b02f5cabb63fdd544d62e743fd291daa965c2

SHA512
359946d43f186224e881e873fb1f35ac1856ad9ffcdc1ad73f71bcc5c1403b07ca6d56114c859f088138d180635e70ba669abe0a4183e746cfadbfa2bde67807

Download Submit
C:\odt\office2016setup.exe
MD5
22a9c2d4e6f11925037aa9dd07879b5a

SHA1
33bfaba0794afeeb43cda0a89e0b14ef0536cfbe

SHA256
48fc55b56cdf3a01d70d293d0468a4d90b5efcfb5a7a2ce2b31a6fb768541e50

SHA512
4ff5b1c2a22a77deb9978e7e8ecec71b9163aa9d86683c72707f912773b2ca0ab265cd3627278522d2ec0c4471b4978bb0ae37c9be0dcb745031aaa8fff405fb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads