neshta | e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80

Analysis

max time kernel
66s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
Size

139KB
MD5

d9659eb9fa16a4c873a4e74610008bb7
SHA1

aab0ef0b04597ef4cbb133eae99972fedbc2622d
SHA256

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80
SHA512

507d3edbe5dd5d707a836511f6097d55c7249b6a7c12072c0267c71790301c4947a1539c93619d3961481180d78bcf299ccfd363944fb208b167495551acffaa

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 3 IoCs

Processes:

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exesvchost.comvlc.exe

pid process

900 e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
1692 svchost.com
592 vlc.exe

pid	process
900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
1692	svchost.com
592	vlc.exe

Loads dropped DLL 3 IoCs

Processes:

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exesvchost.com

pid	process
1972	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
1972	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
1692	svchost.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "C:\\Users\\Admin\\AppData\\Roaming\\vlc\\vlc.exe"	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe

Drops file in Windows directory 3 IoCs

Processes:

svchost.come9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exevlc.exe

pid process

900 e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
592 vlc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

864 powershell.exe

pid	process
900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
592	vlc.exe

pid	process
864	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exevlc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
Token: SeDebugPrivilege	592	vlc.exe
Token: SeDebugPrivilege	864	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exee9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exesvchost.com

description	pid	process	target process
PID 1972 wrote to memory of 900	1972	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
PID 1972 wrote to memory of 900	1972	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
PID 1972 wrote to memory of 900	1972	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
PID 1972 wrote to memory of 900	1972	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
PID 900 wrote to memory of 864	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	powershell.exe
PID 900 wrote to memory of 864	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	powershell.exe
PID 900 wrote to memory of 864	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	powershell.exe
PID 900 wrote to memory of 864	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	powershell.exe
PID 900 wrote to memory of 1692	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	svchost.com
PID 900 wrote to memory of 1692	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	svchost.com
PID 900 wrote to memory of 1692	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	svchost.com
PID 900 wrote to memory of 1692	900	e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe	svchost.com
PID 1692 wrote to memory of 592	1692	svchost.com	vlc.exe
PID 1692 wrote to memory of 592	1692	svchost.com	vlc.exe
PID 1692 wrote to memory of 592	1692	svchost.com	vlc.exe
PID 1692 wrote to memory of 592	1692	svchost.com	vlc.exe

C:\Users\Admin\AppData\Local\Temp\e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
"C:\Users\Admin\AppData\Local\Temp\e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\3582-490\e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc' -Value '"C:\Users\Admin\AppData\Roaming\vlc\vlc.exe"' -PropertyType 'String'
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\vlc\vlc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Roaming\vlc\vlc.exe
C:\Users\Admin\AppData\Roaming\vlc\vlc.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:592

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
Filesize
98KB

MD5
43c7d08e54bf21d3ea46a7ca54fcbdf5

SHA1
882709a827776ec2f2a6bba8c862f984260c1d0e

SHA256
afc89defa581279ad5bfc2f9c02b79d3e78b40ac60f3ae9836f125ea77f7d9c4

SHA512
4440a77ea7cb9037b7afb0e3beff10af0e965a888582ee9cf9d747d2d977e5830f49a68582e66f02cb007e11320038b5977a76649d32c8c15343281edd855a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
Filesize
98KB

MD5
43c7d08e54bf21d3ea46a7ca54fcbdf5

SHA1
882709a827776ec2f2a6bba8c862f984260c1d0e

SHA256
afc89defa581279ad5bfc2f9c02b79d3e78b40ac60f3ae9836f125ea77f7d9c4

SHA512
4440a77ea7cb9037b7afb0e3beff10af0e965a888582ee9cf9d747d2d977e5830f49a68582e66f02cb007e11320038b5977a76649d32c8c15343281edd855a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
Filesize
8B

MD5
83003d5ab51f455fc4b251db361dc49c

SHA1
4cc6b42e0ee44c72c31c8b5ef98d5e87a6e4218a

SHA256
973167f2a8e90a13c1acbc6e148af01c20e862e99a12961a4bb6ed2facd0dff7

SHA512
2a7f0b9d6a7f48f8773f2f0c23b6d9ce7065400ad71a11ee836bef90dd95fe996c4e4a4a52c7a3a00c574207bc62e462eb2eef969f3f727e62d57df9f9010c6b

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc.exe
Filesize
47.6MB

MD5
a94c7bfb1c998b0ec92dd8d57fdab6f2

SHA1
7687a80f03d42993b7020236e19255440d233c04

SHA256
4b81262ef6df938c66a02406a4e7e5df51390f0d78ef3ea95cbaa910ae233662

SHA512
4d8fa49bdb232bd65ee3eec8056ea28f16f7b7500a28ded5cb306c4708221eb29b3b32fb13f7680c9468ba504c9cb364a7978c9ad2775ecc94d067d1da628d84

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc.exe
Filesize
47.6MB

MD5
a94c7bfb1c998b0ec92dd8d57fdab6f2

SHA1
7687a80f03d42993b7020236e19255440d233c04

SHA256
4b81262ef6df938c66a02406a4e7e5df51390f0d78ef3ea95cbaa910ae233662

SHA512
4d8fa49bdb232bd65ee3eec8056ea28f16f7b7500a28ded5cb306c4708221eb29b3b32fb13f7680c9468ba504c9cb364a7978c9ad2775ecc94d067d1da628d84

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
b404bd63e6d27581f5899096494a9716

SHA1
52797a4c07b58821d5db81b41069c0090d887c0b

SHA256
67d6d28c3971df6f79226f09ffdd8329dbe12e3aca7863e0efddc0fe27931365

SHA512
5b64a1640dd10c008b730d5b7b2edf433e210fc70487134db07bcf663077148ba99770c5addf9a9e782c9679acaf97dcdcb6b8e9ec9914a730caa60aa0cca4fb

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
b404bd63e6d27581f5899096494a9716

SHA1
52797a4c07b58821d5db81b41069c0090d887c0b

SHA256
67d6d28c3971df6f79226f09ffdd8329dbe12e3aca7863e0efddc0fe27931365

SHA512
5b64a1640dd10c008b730d5b7b2edf433e210fc70487134db07bcf663077148ba99770c5addf9a9e782c9679acaf97dcdcb6b8e9ec9914a730caa60aa0cca4fb

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\e9cf73adc8da7d74d6477c61664c22ba624365d56fefa99aede69d3e447d9d80.exe
Filesize
98KB

MD5
43c7d08e54bf21d3ea46a7ca54fcbdf5

SHA1
882709a827776ec2f2a6bba8c862f984260c1d0e

SHA256
afc89defa581279ad5bfc2f9c02b79d3e78b40ac60f3ae9836f125ea77f7d9c4

SHA512
4440a77ea7cb9037b7afb0e3beff10af0e965a888582ee9cf9d747d2d977e5830f49a68582e66f02cb007e11320038b5977a76649d32c8c15343281edd855a1d

Download Submit
\Users\Admin\AppData\Roaming\vlc\vlc.exe
Filesize
47.6MB

MD5
a94c7bfb1c998b0ec92dd8d57fdab6f2

SHA1
7687a80f03d42993b7020236e19255440d233c04

SHA256
4b81262ef6df938c66a02406a4e7e5df51390f0d78ef3ea95cbaa910ae233662

SHA512
4d8fa49bdb232bd65ee3eec8056ea28f16f7b7500a28ded5cb306c4708221eb29b3b32fb13f7680c9468ba504c9cb364a7978c9ad2775ecc94d067d1da628d84

Download Submit
memory/592-70-0x0000000000000000-mapping.dmp

Download
memory/592-72-0x0000000000270000-0x000000000028E000-memory.dmp

Filesize
120KB

Download
memory/864-62-0x0000000000000000-mapping.dmp

Download
memory/864-75-0x0000000072BE0000-0x000000007318B000-memory.dmp

Filesize
5.7MB

Download
memory/900-59-0x0000000000E20000-0x0000000000E3E000-memory.dmp

Filesize
120KB

Download
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/1692-64-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads