neshta | cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348

Analysis

max time kernel
139s
max time network
133s
platform
windows7_x64
resource
win7-en-20211208
submitted
16-02-2022 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
Size

237KB
MD5

b07832b0972e53a061c5293a37773a1e
SHA1

cb5d257d565b7fdba79851c8008d0a17d01f914d
SHA256

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348
SHA512

e977f86dc9f6c288b0e77e6701e89e2dd1d8834fe1a4c2c4926e1493d35ddb538e44df27c7988e83f4b9521aaf717fcb93a55b5449b69729d56f80bc4f8d2be5

Score

10^/10

neshta netwire botnet persistence rat spyware stealer

Malware Config

Extracted

Family

netwire

23.105.131.142:3368

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Love1234
registry_autorun
false
startup_name
use_mutex
false

Signatures

Detect Neshta Payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	family_neshta
\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	family_neshta
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	netwire
\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	netwire
C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	netwire
C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	netwire
\Users\Admin\AppData\Local\Temp\3582-490\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	netwire
\Users\Admin\AppData\Local\Temp\3582-490\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	netwire
C:\Users\Admin\AppData\Local\Temp\3582-490\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 4 IoCs

Processes:

svchost.execded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exesvchost.execded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

pid	process
752	svchost.exe
1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
864	svchost.exe
1724	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

Loads dropped DLL 6 IoCs

Processes:

svchost.execded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

pid	process
752	svchost.exe
752	svchost.exe
1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exesvchost.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

Drops file in Windows directory 2 IoCs

Processes:

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.execded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

description	ioc	process
File created	C:\Windows\svchost.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
File opened for modification	C:\Windows\svchost.com	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exesvchost.execded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

description	pid	process	target process
PID 524 wrote to memory of 752	524	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	svchost.exe
PID 524 wrote to memory of 752	524	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	svchost.exe
PID 524 wrote to memory of 752	524	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	svchost.exe
PID 524 wrote to memory of 752	524	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	svchost.exe
PID 752 wrote to memory of 1812	752	svchost.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
PID 752 wrote to memory of 1812	752	svchost.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
PID 752 wrote to memory of 1812	752	svchost.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
PID 752 wrote to memory of 1812	752	svchost.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
PID 1812 wrote to memory of 1724	1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
PID 1812 wrote to memory of 1724	1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
PID 1812 wrote to memory of 1724	1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
PID 1812 wrote to memory of 1724	1812	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe	cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe

C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
"C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
"C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe"
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\3582-490\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe"
4⤵
- Executes dropped EXE
PID:1724

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
MD5
f75a2fd6f663cf419b468e2d56d151a9

SHA1
7ef335642453c3ef3f3439f8637b7349b3f47228

SHA256
133a18ce886a23152f4afb01ee55ffc34934de5ff9b8ee3140abf3e11c67b16b

SHA512
0f2afe3a76dd3ed5dfb3ac38d015215b14b1107b6837785628b9288cbce485aa11f7bb0dfebd94c9749080934a562a5c4ce22620c8041ed837975409068d3e55

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
MD5
c5c7c9ab4205dbd206d0e41a35251646

SHA1
451304ee05223f4e113042da7550279136f6497f

SHA256
a4e6b639611fb2404d5157f35c5016f531aa309eee1c7ebb14e6853315ed00f9

SHA512
cefcba1107a1e3a72a0f23af2842e341abfb77f6ac06553f18aeeb1e80f8a79f88d45f61bc087bd38d869147bc6fe8bca40c8874389246d6fd8b6f56e7c21eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
MD5
555961790f886ccf3ca7e5cc0e5e272e

SHA1
ec83807bef3c759f0b5a54e417a2d1c236557fdc

SHA256
9e13d17fd5367f2168efd8c0c95773ba91509a3ae503242566c8f0a73c74285d

SHA512
079e6e3d6f63c209a01c3cc457745e973e1ec80224d7e41fef9069ce5566052d99b81328b1d77be5fee3cb99c0d8206cf4953acfbfa569e2ec87a826f2f0fff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
MD5
af0a1ec77e72432f8bf74ecb21a384a8

SHA1
c0831ccc145a8c3e7a361faf9a573b9773ca5354

SHA256
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c

SHA512
29ef37b7e7332eb7536f346c88a602bd71fae382914710886e85d496f33ad6466be0bc9b7a71b5215cd51a3cefdfea17592fe8bb5eadc103bc7c43ad676724ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
MD5
af0a1ec77e72432f8bf74ecb21a384a8

SHA1
c0831ccc145a8c3e7a361faf9a573b9773ca5354

SHA256
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c

SHA512
29ef37b7e7332eb7536f346c88a602bd71fae382914710886e85d496f33ad6466be0bc9b7a71b5215cd51a3cefdfea17592fe8bb5eadc103bc7c43ad676724ab

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\ose.exe
MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
MD5
555961790f886ccf3ca7e5cc0e5e272e

SHA1
ec83807bef3c759f0b5a54e417a2d1c236557fdc

SHA256
9e13d17fd5367f2168efd8c0c95773ba91509a3ae503242566c8f0a73c74285d

SHA512
079e6e3d6f63c209a01c3cc457745e973e1ec80224d7e41fef9069ce5566052d99b81328b1d77be5fee3cb99c0d8206cf4953acfbfa569e2ec87a826f2f0fff7

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
MD5
555961790f886ccf3ca7e5cc0e5e272e

SHA1
ec83807bef3c759f0b5a54e417a2d1c236557fdc

SHA256
9e13d17fd5367f2168efd8c0c95773ba91509a3ae503242566c8f0a73c74285d

SHA512
079e6e3d6f63c209a01c3cc457745e973e1ec80224d7e41fef9069ce5566052d99b81328b1d77be5fee3cb99c0d8206cf4953acfbfa569e2ec87a826f2f0fff7

Download Submit
\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
MD5
af0a1ec77e72432f8bf74ecb21a384a8

SHA1
c0831ccc145a8c3e7a361faf9a573b9773ca5354

SHA256
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c

SHA512
29ef37b7e7332eb7536f346c88a602bd71fae382914710886e85d496f33ad6466be0bc9b7a71b5215cd51a3cefdfea17592fe8bb5eadc103bc7c43ad676724ab

Download Submit
\Users\Admin\AppData\Local\Temp\cded3258be6ee1f27dedceb41ddc5cb0b9f35db1daed5626643f6e92747ba348.exe
MD5
af0a1ec77e72432f8bf74ecb21a384a8

SHA1
c0831ccc145a8c3e7a361faf9a573b9773ca5354

SHA256
2a73e8f413acfcd05a38ac515320430dbb7c99aaa7d4fdf8ae3dd1f59050074c

SHA512
29ef37b7e7332eb7536f346c88a602bd71fae382914710886e85d496f33ad6466be0bc9b7a71b5215cd51a3cefdfea17592fe8bb5eadc103bc7c43ad676724ab

Download Submit
memory/1812-59-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download