neshta | 88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7

General

Target

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
Size

4.2MB
MD5

076c3c206eea88ba662d47b2b741d15a
SHA1

84a7899525a78fdd791d373b90e025dadfa3fad0
SHA256

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7
SHA512

e98bae8bdd3b02eb0015e7ec813729afe2eb8f6fda057414f7f508eff8fef69c4813a62323683fff29d2b829b4f008fab4edde652b61e2feb0af417d51584893

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

pid process

1324 88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

Loads dropped DLL 3 IoCs

Processes:

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

pid	process
1808	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
1324	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
1808	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

Drops file in Windows directory 1 IoCs

Processes:

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

description ioc process

File opened for modification C:\Windows\svchost.com 88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A59C5E1-DB12-11EC-BC64-62D05D50A506} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000001968f8687ec6698efdd23859d3fe2872c3bcbe37978fde2e22b4b316144b4955000000000e8000000002000020000000c7070e81303ac6f352514f497a2d3ab922d853ce3cdebfaf53b19784ddc2d26190000000c90ede4c20783e903c26aed0bdea2f47222f5404f95411591ab73764e0733ed8f51eb9c3b40a4900a076a6393180cc99f1c77c15c853cb0ac0b72e67ab68cb311c5991932b536ce35dd62e9d0b4f63ed032d0f798b0ea779da03b5eeda4be1ac9fbae89ac906a5e311a197af84e4d1fa0bb68f7f8e3111423e6b7c381946e2bb60be0f7fe85e331115a50940a21b247f40000000c82653b96cc6fc7cd3af45872854cbb5cd10a471ef83e5e93ae89ac4ae1c3f0f164742bea8b59c4fbb3858435c6a351dcefa0d9e4764d860e868e72139c512a4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360128110"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000f4b7e4b280527d2ed4c377930914cdf4e71d9cffa52d16ff249c422620be3d9c000000000e8000000002000020000000b6a6bc2ee18d6e8f5e534b6ed0a912caed9c88162086ba8353382d80582b496f200000005dd3b73ce3da64a36a407ce060335bdc4f5507e2c144be6d130ac8e3ceb4403540000000bcfa7d3954d2a3bbaba7cf6680c81607afda7bbe6becd8f27276da054ab90c11de975709b20f369293c46828545a49f28b436ba51a1ac497bc37398b872dd8d4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0144efb1e6fd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 1 IoCs

Processes:

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe

pid	process
2020	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exeiexplore.exeIEXPLORE.EXE

pid	process
1324	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
2020	iexplore.exe
2020	iexplore.exe
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exeiexplore.exe

description	pid	process	target process
PID 1808 wrote to memory of 1324	1808	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
PID 1808 wrote to memory of 1324	1808	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
PID 1808 wrote to memory of 1324	1808	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
PID 1808 wrote to memory of 1324	1808	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
PID 1324 wrote to memory of 2020	1324	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe	iexplore.exe
PID 1324 wrote to memory of 2020	1324	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe	iexplore.exe
PID 1324 wrote to memory of 2020	1324	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe	iexplore.exe
PID 1324 wrote to memory of 2020	1324	88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe	iexplore.exe
PID 2020 wrote to memory of 1740	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1740	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1740	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 1740	2020	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
"C:\Users\Admin\AppData\Local\Temp\88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://chf.su/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
f21bd7a21ac75224237c475a1e4a93ec

SHA1
e2ea8f365d751e67dbd12f2c3913985f36dd40e9

SHA256
4c5c13d4269aae5acbf78dc214bb72ce5caa401fabd453a0aabd4fce1a301fd9

SHA512
747fc0e57593678f754bcdcae5fa6f6fde6fbdef879f11a8ed493a446ddce204ae01a90fc207bbf9f42115a14ce92797c91ab661515e1fb3450a4d6fa5e2bf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
Filesize
4.1MB

MD5
e768bbea30e671a8116f1eaa706c4d93

SHA1
7159ad7082be7aa7f533ee88e364cfcc5c528deb

SHA256
e436924a2fac62b5df8e77b588ce8e3f8c23075e1367c6c53fbca70ff3107e42

SHA512
407ce9c8a367510a7c010da53a17f7ee218dc38cdd0882d4eb46e81e3e66126d943e5c5034f18a964c36d8260e8921ed088714a0e76793c51b30dd378750eeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
Filesize
4.1MB

MD5
e768bbea30e671a8116f1eaa706c4d93

SHA1
7159ad7082be7aa7f533ee88e364cfcc5c528deb

SHA256
e436924a2fac62b5df8e77b588ce8e3f8c23075e1367c6c53fbca70ff3107e42

SHA512
407ce9c8a367510a7c010da53a17f7ee218dc38cdd0882d4eb46e81e3e66126d943e5c5034f18a964c36d8260e8921ed088714a0e76793c51b30dd378750eeed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WC03ZCRO.txt
Filesize
595B

MD5
5cba90758c170b1fd10106345d74140e

SHA1
d6206e2a671daf7fd2d4ee7715436839a72760b2

SHA256
1fb837537764d652602735f286020813e0c7f5b158e0a7f9bccdd1ffff191450

SHA512
a30892ea94c534b2d1195eefc80996cd4b55adcf10648c6dbb6a55d53030f80c4c31dff85dc74ad815046e77f8725f58a31e45aff368cda90eebbe634ee9d002

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
Filesize
4.1MB

MD5
e768bbea30e671a8116f1eaa706c4d93

SHA1
7159ad7082be7aa7f533ee88e364cfcc5c528deb

SHA256
e436924a2fac62b5df8e77b588ce8e3f8c23075e1367c6c53fbca70ff3107e42

SHA512
407ce9c8a367510a7c010da53a17f7ee218dc38cdd0882d4eb46e81e3e66126d943e5c5034f18a964c36d8260e8921ed088714a0e76793c51b30dd378750eeed

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\88b595be3a022a6a1faa13f329241be4eeec52040072d1384030ab6cfb0d24c7.exe
Filesize
4.1MB

MD5
e768bbea30e671a8116f1eaa706c4d93

SHA1
7159ad7082be7aa7f533ee88e364cfcc5c528deb

SHA256
e436924a2fac62b5df8e77b588ce8e3f8c23075e1367c6c53fbca70ff3107e42

SHA512
407ce9c8a367510a7c010da53a17f7ee218dc38cdd0882d4eb46e81e3e66126d943e5c5034f18a964c36d8260e8921ed088714a0e76793c51b30dd378750eeed

Download Submit
memory/1324-56-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads