Analysis
-
max time kernel
162s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 00:28
Static task
static1
Behavioral task
behavioral1
Sample
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
Resource
win10v2004-en-20220113
General
-
Target
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe
-
Size
1.3MB
-
MD5
2140adb39cf86f635f1c2d16dbe89970
-
SHA1
0aa79344a9f2f0a76f522b414701a74dab070167
-
SHA256
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9
-
SHA512
29d3991345197f6d482597cfb42349737eacb339f2e77f15f625622a80347de835c5198d4d3980319e3ab63613e9d1a10a8b3558f0c71643e8d5a6bae54bfa66
Malware Config
Extracted
C:\Decryption-Guide.txt
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 1 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exepid process 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exedescription ioc process File created C:\Program Files\desktop.ini 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\desktop.ini 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File created C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File created C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-oql_ja.jar 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jli.dll,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File created C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jsdt.dll 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\[email protected] 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-nodes.xml 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe,(MJ-RZ5964312708)([email protected]).wixawm 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe -
Drops file in Windows directory 2 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exesvchost.exedescription ioc process File opened for modification C:\Windows\svchost.com 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe -
NTFS ADS 7 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exedescription ioc process File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\Ɛťsk8:Ըť 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\¸ťsk8:ܰť 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:Ҩť 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:Ƞť 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\櫐Ţsk8:枸Ţ 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\泈Ţsk8:澘Ţ 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe File opened for modification C:\Documents and Settings\S-1-5-21-1346565761-3498240568-4147300184-1000\de8:熐Ţ 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exepid process 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exedescription pid process target process PID 4692 wrote to memory of 2984 4692 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe PID 4692 wrote to memory of 2984 4692 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe PID 4692 wrote to memory of 2984 4692 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe PID 2984 wrote to memory of 2832 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 2832 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 2832 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2832 wrote to memory of 5024 2832 cmd.exe net.exe PID 2832 wrote to memory of 5024 2832 cmd.exe net.exe PID 2832 wrote to memory of 5024 2832 cmd.exe net.exe PID 5024 wrote to memory of 2300 5024 net.exe net1.exe PID 5024 wrote to memory of 2300 5024 net.exe net1.exe PID 5024 wrote to memory of 2300 5024 net.exe net1.exe PID 2984 wrote to memory of 3552 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 3552 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 3552 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 4404 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 4404 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 4404 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 4876 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 4876 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 4876 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 3656 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 3656 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 3656 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 3656 wrote to memory of 3904 3656 cmd.exe net.exe PID 3656 wrote to memory of 3904 3656 cmd.exe net.exe PID 3656 wrote to memory of 3904 3656 cmd.exe net.exe PID 3904 wrote to memory of 4188 3904 net.exe net1.exe PID 3904 wrote to memory of 4188 3904 net.exe net1.exe PID 3904 wrote to memory of 4188 3904 net.exe net1.exe PID 2984 wrote to memory of 1476 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 1476 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 1476 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 1476 wrote to memory of 1308 1476 cmd.exe net.exe PID 1476 wrote to memory of 1308 1476 cmd.exe net.exe PID 1476 wrote to memory of 1308 1476 cmd.exe net.exe PID 1308 wrote to memory of 4384 1308 net.exe net1.exe PID 1308 wrote to memory of 4384 1308 net.exe net1.exe PID 1308 wrote to memory of 4384 1308 net.exe net1.exe PID 2984 wrote to memory of 804 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 804 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 804 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 804 wrote to memory of 3088 804 cmd.exe net.exe PID 804 wrote to memory of 3088 804 cmd.exe net.exe PID 804 wrote to memory of 3088 804 cmd.exe net.exe PID 3088 wrote to memory of 3836 3088 net.exe net1.exe PID 3088 wrote to memory of 3836 3088 net.exe net1.exe PID 3088 wrote to memory of 3836 3088 net.exe net1.exe PID 2984 wrote to memory of 632 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 632 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 632 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 632 wrote to memory of 2000 632 cmd.exe netsh.exe PID 632 wrote to memory of 2000 632 cmd.exe netsh.exe PID 632 wrote to memory of 2000 632 cmd.exe netsh.exe PID 2984 wrote to memory of 2492 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 2492 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 2492 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2492 wrote to memory of 2592 2492 cmd.exe netsh.exe PID 2492 wrote to memory of 2592 2492 cmd.exe netsh.exe PID 2492 wrote to memory of 2592 2492 cmd.exe netsh.exe PID 2984 wrote to memory of 5028 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 5028 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 2984 wrote to memory of 5028 2984 7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe cmd.exe PID 5028 wrote to memory of 1492 5028 cmd.exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe"C:\Users\Admin\AppData\Local\Temp\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\net.exenet stop MSDTC4⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC5⤵PID:2300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:3552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no3⤵PID:4404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet3⤵PID:4876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT4⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT5⤵PID:4188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵PID:4384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds3⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\net.exenet stop vds4⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds5⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off3⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵PID:2000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable3⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable4⤵PID:2592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\net.exenet stop SQLWriter4⤵PID:1492
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter5⤵PID:1528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser3⤵PID:3992
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser4⤵PID:1060
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵PID:3920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵PID:1276
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵PID:4820
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵PID:2292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO13⤵PID:3016
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO14⤵PID:4832
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO15⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:1292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exeMD5
d18aad284f150b7eeaeabfb6b033563f
SHA10ef010f14a8692082ccd94b786cf5f93bc5f2e12
SHA25685bae053b7c9561837e65e1f5d5b02f5cabb63fdd544d62e743fd291daa965c2
SHA512359946d43f186224e881e873fb1f35ac1856ad9ffcdc1ad73f71bcc5c1403b07ca6d56114c859f088138d180635e70ba669abe0a4183e746cfadbfa2bde67807
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7cb950b5904260b19798a6eb12d7bf1610a5725966d82fd7bef1550fc1a400a9.exeMD5
d18aad284f150b7eeaeabfb6b033563f
SHA10ef010f14a8692082ccd94b786cf5f93bc5f2e12
SHA25685bae053b7c9561837e65e1f5d5b02f5cabb63fdd544d62e743fd291daa965c2
SHA512359946d43f186224e881e873fb1f35ac1856ad9ffcdc1ad73f71bcc5c1403b07ca6d56114c859f088138d180635e70ba669abe0a4183e746cfadbfa2bde67807
-
C:\odt\office2016setup.exeMD5
22a9c2d4e6f11925037aa9dd07879b5a
SHA133bfaba0794afeeb43cda0a89e0b14ef0536cfbe
SHA25648fc55b56cdf3a01d70d293d0468a4d90b5efcfb5a7a2ce2b31a6fb768541e50
SHA5124ff5b1c2a22a77deb9978e7e8ecec71b9163aa9d86683c72707f912773b2ca0ab265cd3627278522d2ec0c4471b4978bb0ae37c9be0dcb745031aaa8fff405fb