neshta | f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8

General

Target

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
Size

137KB
MD5

c1064f361e1f0d8562753acdc3d04ef4
SHA1

e044fe6baad0477fddd6fa52b1c365a79fe73335
SHA256

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8
SHA512

97927a782c1b23bf670bc19569bd42d69c62cc4432cceb9a81b1ea31da2e5e70288768c9622336dddf80cd8f2b7e7426bac731307aaa266871297042ebdc1bee

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

pid process

3572 f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~4.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI9C33~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MIA062~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

Drops file in Windows directory 1 IoCs

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

description ioc process

File opened for modification C:\Windows\svchost.com f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

Modifies registry class 1 IoCs

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

pid	process
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

pid process

3572 f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

description pid process

Token: SeDebugPrivilege 3572 f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

description	pid	process
Token: SeDebugPrivilege	3572	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

description	pid	process	target process
PID 1564 wrote to memory of 3572	1564	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
PID 1564 wrote to memory of 3572	1564	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
PID 1564 wrote to memory of 3572	1564	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe	f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe

C:\Users\Admin\AppData\Local\Temp\f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
"C:\Users\Admin\AppData\Local\Temp\f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\3582-490\f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\f68365b3db8f5b22173666468e6998a73984acc9b55fe84315868894944474d8.exe
MD5
92e845c86c65c413b13e7a9c2be74740

SHA1
ee4a9743a5a1390375b488a55d4e2ee5da02104f

SHA256
0423f8afb6e33dde8dd08f68f1090a9050645adcc268fb96021f6b30e4e363aa

SHA512
7355bc255f5dcebfc27450dac587e36c004eb22e3c395341b22b9577dcd90767bb85447047cfd6f164817ab9de6dade8d4a7b23d09c0a04cf111beb64fa17e6c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads