neshta | 21f78b4d9829db5e3e7d21ff3ad03991b9d00df9d05518ff49b8cdfb2d46e282

General

Target

b16522c76d4129c5381c2568b1e31581_5-NS new.exe
Size

165KB
MD5

b16522c76d4129c5381c2568b1e31581
SHA1

6fa7e62cf9aa3264298ff58d75fa505cd5bf583e
SHA256

21f78b4d9829db5e3e7d21ff3ad03991b9d00df9d05518ff49b8cdfb2d46e282
SHA512

e58be82fa8d181644a6c50606c0e32ec0020e9b26eb84f2e58c37c2ba5f0f0c831a46700789a3f95480402cb923498604371f760efb135926eae9be3ce257e48

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b16522c76d4129c5381c2568b1e31581_5-NS new.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b16522c76d4129c5381c2568b1e31581_5-NS new.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

b16522c76d4129c5381c2568b1e31581_5-NS new.exe

pid process

3832 b16522c76d4129c5381c2568b1e31581_5-NS new.exe

pid	process
3832	b16522c76d4129c5381c2568b1e31581_5-NS new.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b16522c76d4129c5381c2568b1e31581_5-NS new.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	b16522c76d4129c5381c2568b1e31581_5-NS new.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

b16522c76d4129c5381c2568b1e31581_5-NS new.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~2.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	b16522c76d4129c5381c2568b1e31581_5-NS new.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost.exeTiWorker.exeb16522c76d4129c5381c2568b1e31581_5-NS new.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\svchost.com	b16522c76d4129c5381c2568b1e31581_5-NS new.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4056"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.688132"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4184"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006602"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4348"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132896426631416774"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.556071"	svchost.exe

Modifies registry class 1 IoCs

Processes:

b16522c76d4129c5381c2568b1e31581_5-NS new.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b16522c76d4129c5381c2568b1e31581_5-NS new.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe
Token: SeRestorePrivilege	3988	TiWorker.exe
Token: SeSecurityPrivilege	3988	TiWorker.exe
Token: SeBackupPrivilege	3988	TiWorker.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b16522c76d4129c5381c2568b1e31581_5-NS new.exeb16522c76d4129c5381c2568b1e31581_5-NS new.exe

description	pid	process	target process
PID 3908 wrote to memory of 3832	3908	b16522c76d4129c5381c2568b1e31581_5-NS new.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
PID 3908 wrote to memory of 3832	3908	b16522c76d4129c5381c2568b1e31581_5-NS new.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
PID 3908 wrote to memory of 3832	3908	b16522c76d4129c5381c2568b1e31581_5-NS new.exe	b16522c76d4129c5381c2568b1e31581_5-NS new.exe
PID 3832 wrote to memory of 3616	3832	b16522c76d4129c5381c2568b1e31581_5-NS new.exe	cmd.exe
PID 3832 wrote to memory of 3616	3832	b16522c76d4129c5381c2568b1e31581_5-NS new.exe	cmd.exe
PID 3832 wrote to memory of 3616	3832	b16522c76d4129c5381c2568b1e31581_5-NS new.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b16522c76d4129c5381c2568b1e31581_5-NS new.exe
"C:\Users\Admin\AppData\Local\Temp\b16522c76d4129c5381c2568b1e31581_5-NS new.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\3582-490\b16522c76d4129c5381c2568b1e31581_5-NS new.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\b16522c76d4129c5381c2568b1e31581_5-NS new.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3616

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2476

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\b16522c76d4129c5381c2568b1e31581_5-NS new.exe
MD5
6bffc6c7caa2eb2fa90fac0317f63338

SHA1
bd5354cd813130687c66ecc132d50770d48417cf

SHA256
92c65b58c4925534c2ce78e54b0e11ecaf45ed8cf0344ebff46cdfc4f2fe0d84

SHA512
dc8fad291057faa036ebcdabbc87146911bdc25e922be8fa7ad896dd533f9956ebfaeeb40d80d7ca0a18c225a1cdad6a75e04618cb3e0d8bae72db4877a9ac94

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b16522c76d4129c5381c2568b1e31581_5-NS new.exe
MD5
6bffc6c7caa2eb2fa90fac0317f63338

SHA1
bd5354cd813130687c66ecc132d50770d48417cf

SHA256
92c65b58c4925534c2ce78e54b0e11ecaf45ed8cf0344ebff46cdfc4f2fe0d84

SHA512
dc8fad291057faa036ebcdabbc87146911bdc25e922be8fa7ad896dd533f9956ebfaeeb40d80d7ca0a18c225a1cdad6a75e04618cb3e0d8bae72db4877a9ac94

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads