Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 23:52
Static task
static1
Behavioral task
behavioral1
Sample
3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe
Resource
win10v2004-20220414-en
General
-
Target
3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe
-
Size
298KB
-
MD5
1a89b7d4fb8ded72e1f8e81ee9352262
-
SHA1
3124893ffd96050e924ad003704c6144fde50ac3
-
SHA256
3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c
-
SHA512
77edf5e933116f190d8aec898c53d2ce93b8f12a1e5991eb2eb94f2c8527a82744308a5c093a238cf1d04de63080f2b37e167343531931c2e682e404a0ec2f0a
Malware Config
Extracted
Protocol: ftp- Host:
canon222.aiq.ru - Port:
21 - Username:
u380797 - Password:
wly1fs7n
Signatures
-
Detect Neshta Payload 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\aimbot 21.0.exe family_neshta \Users\Admin\AppData\Local\Temp\aimbot 21.0.exe family_neshta C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exe family_neshta C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exe family_neshta behavioral1/memory/1824-70-0x0000000000400000-0x0000000000493000-memory.dmp family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
aimbot 21.0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aimbot 21.0.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
aimbot 21.0.exeaimbot 21.0.exepid process 912 aimbot 21.0.exe 1244 aimbot 21.0.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe vmprotect \Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe vmprotect C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe vmprotect C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe vmprotect behavioral1/memory/1244-66-0x0000000000400000-0x000000000047B000-memory.dmp vmprotect behavioral1/memory/1244-73-0x0000000000400000-0x000000000047B000-memory.dmp vmprotect behavioral1/memory/1244-96-0x0000000000400000-0x000000000047B000-memory.dmp vmprotect -
Loads dropped DLL 5 IoCs
Processes:
3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exeaimbot 21.0.exepid process 1824 3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe 1824 3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe 912 aimbot 21.0.exe 912 aimbot 21.0.exe 912 aimbot 21.0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 3 IoCs
Processes:
aimbot 21.0.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ads3.exe aimbot 21.0.exe File opened for modification C:\Windows\SysWOW64\ads.exe aimbot 21.0.exe File opened for modification C:\Windows\SysWOW64\ads2.exe aimbot 21.0.exe -
Drops file in Program Files directory 64 IoCs
Processes:
aimbot 21.0.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe aimbot 21.0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe aimbot 21.0.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE aimbot 21.0.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe aimbot 21.0.exe -
Drops file in Windows directory 1 IoCs
Processes:
aimbot 21.0.exedescription ioc process File opened for modification C:\Windows\svchost.com aimbot 21.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
IEXPLORE.EXEiexplore.exeaimbot 21.0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308ca097ca89d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main aimbot 21.0.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000e659fdf9fec8d9734f0dbbbee0e13b5e04118c5a681a9ebf32c462d5dbf6bb72000000000e8000000002000020000000c7e94878b7a0af605e9568fa400429e6c8e0d23833372a087cf3f6753af84c809000000028edae877bb9c63d8896e3034270d84e741c693e9e30f38d069c8e3148e3fcfa4ff987e21b13c0ef899a27081feefc2793bd60ccc473a603f7477ac4fcc3c12c69b383a3c26c8ce853e8b44868d2f710009f1d6af2185676cb58e8f1a6ecd65ee06a00d4b7466f0b6a870a465cfb025f2297a9e39e835a9d1f412d49c6cf6fe8e7dd840e504b4a38291ab982076540cc400000003d75f614163338ea51157dea34889cfbe88c7c3bb0f485beb66d3bd741371a7f766410b19e4014baf2809d5347c3fbae29d28bf38893a0e3958ac782f0ce3188 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd40000000002000000000010660000000100002000000088cec3851e67b1ea56fb9e8582de02b366de83af2cd46d1d89daeb173a0702da000000000e8000000002000020000000a2612f7b0b1c5ed95f552b11ace9646461a3d5acd3db98baf285852ccfd06cb72000000058198d704f4a01ccbab09d236fc4012c71dcf1831e298a1ae2a1cceb58328e8d4000000008cde9eaa6e34a374856513951d62cdd1f78ba5843c04e6ea4cb2f5857c5eeab2aec67c0e1a0ab00b576a496af7d80480d6aa2e47e1a9fbf93a60fa7cb6be54f iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C17C9C61-F5BD-11EC-9154-F2D3CC06C800} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363060563" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Modifies registry class 1 IoCs
Processes:
aimbot 21.0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" aimbot 21.0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exeaimbot 21.0.exepid process 1824 3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
aimbot 21.0.exedescription pid process Token: SeDebugPrivilege 1244 aimbot 21.0.exe Token: SeDebugPrivilege 1244 aimbot 21.0.exe Token: SeDebugPrivilege 1244 aimbot 21.0.exe Token: SeDebugPrivilege 1244 aimbot 21.0.exe Token: SeDebugPrivilege 1244 aimbot 21.0.exe Token: SeDebugPrivilege 1244 aimbot 21.0.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
aimbot 21.0.exeIEXPLORE.EXEpid process 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1244 aimbot 21.0.exe 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exeaimbot 21.0.exeaimbot 21.0.exeexplorer.exedescription pid process target process PID 1824 wrote to memory of 912 1824 3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe aimbot 21.0.exe PID 1824 wrote to memory of 912 1824 3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe aimbot 21.0.exe PID 1824 wrote to memory of 912 1824 3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe aimbot 21.0.exe PID 1824 wrote to memory of 912 1824 3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe aimbot 21.0.exe PID 912 wrote to memory of 1244 912 aimbot 21.0.exe aimbot 21.0.exe PID 912 wrote to memory of 1244 912 aimbot 21.0.exe aimbot 21.0.exe PID 912 wrote to memory of 1244 912 aimbot 21.0.exe aimbot 21.0.exe PID 912 wrote to memory of 1244 912 aimbot 21.0.exe aimbot 21.0.exe PID 1244 wrote to memory of 1588 1244 aimbot 21.0.exe Explorer.exe PID 1244 wrote to memory of 1588 1244 aimbot 21.0.exe Explorer.exe PID 1244 wrote to memory of 1588 1244 aimbot 21.0.exe Explorer.exe PID 1244 wrote to memory of 1588 1244 aimbot 21.0.exe Explorer.exe PID 700 wrote to memory of 1396 700 explorer.exe iexplore.exe PID 700 wrote to memory of 1396 700 explorer.exe iexplore.exe PID 700 wrote to memory of 1396 700 explorer.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe"C:\Users\Admin\AppData\Local\Temp\3588af3f2e0bd35d34ae5dcc2e9ec9c303be9607bb5ec82acd36d856894da65c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exe"C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Explorer.exeExplorer http://adf.ly/40h0K4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://adf.ly/40h0K2⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exeFilesize
236KB
MD5c7a400dd9d4d867012a84e1210cf4855
SHA1971caac7e21e94e90cfaf6747a46c200679443df
SHA25671c542218e3d2b04386b020f5ebf02402c5e40cd0b4ba0b2e07771ee6620483d
SHA51288ed2d8d6b4572f351b4da8263c254701af7df1755843c98ebcd0cf9e9b6929085a29cae59511a92da026ee671e69cff2d33f24c5e7dd0b66f366da4ef1710f8
-
C:\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exeFilesize
236KB
MD5c7a400dd9d4d867012a84e1210cf4855
SHA1971caac7e21e94e90cfaf6747a46c200679443df
SHA25671c542218e3d2b04386b020f5ebf02402c5e40cd0b4ba0b2e07771ee6620483d
SHA51288ed2d8d6b4572f351b4da8263c254701af7df1755843c98ebcd0cf9e9b6929085a29cae59511a92da026ee671e69cff2d33f24c5e7dd0b66f366da4ef1710f8
-
C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exeFilesize
276KB
MD5ceaf625fcce888f1ee609aa9023f5059
SHA14ffa529a3c6fca78c65ad89b6f16aef7519b983e
SHA256f95206dc9a1f5c922256752180d79c961aaf2d87db84c8accfcbcea35e434ca7
SHA512e463d764566f5f695438e773e0bd789ccf9c249b50993a07fe48a289bd8dd41fed4fb27211e343fbae5eb3e81d5a5b55574219d43a5c7d7ce8f5e1a2da5a964f
-
C:\Users\Admin\AppData\Local\Temp\aimbot 21.0.exeFilesize
276KB
MD5ceaf625fcce888f1ee609aa9023f5059
SHA14ffa529a3c6fca78c65ad89b6f16aef7519b983e
SHA256f95206dc9a1f5c922256752180d79c961aaf2d87db84c8accfcbcea35e434ca7
SHA512e463d764566f5f695438e773e0bd789ccf9c249b50993a07fe48a289bd8dd41fed4fb27211e343fbae5eb3e81d5a5b55574219d43a5c7d7ce8f5e1a2da5a964f
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exeFilesize
236KB
MD5c7a400dd9d4d867012a84e1210cf4855
SHA1971caac7e21e94e90cfaf6747a46c200679443df
SHA25671c542218e3d2b04386b020f5ebf02402c5e40cd0b4ba0b2e07771ee6620483d
SHA51288ed2d8d6b4572f351b4da8263c254701af7df1755843c98ebcd0cf9e9b6929085a29cae59511a92da026ee671e69cff2d33f24c5e7dd0b66f366da4ef1710f8
-
\Users\Admin\AppData\Local\Temp\3582-490\aimbot 21.0.exeFilesize
236KB
MD5c7a400dd9d4d867012a84e1210cf4855
SHA1971caac7e21e94e90cfaf6747a46c200679443df
SHA25671c542218e3d2b04386b020f5ebf02402c5e40cd0b4ba0b2e07771ee6620483d
SHA51288ed2d8d6b4572f351b4da8263c254701af7df1755843c98ebcd0cf9e9b6929085a29cae59511a92da026ee671e69cff2d33f24c5e7dd0b66f366da4ef1710f8
-
\Users\Admin\AppData\Local\Temp\aimbot 21.0.exeFilesize
276KB
MD5ceaf625fcce888f1ee609aa9023f5059
SHA14ffa529a3c6fca78c65ad89b6f16aef7519b983e
SHA256f95206dc9a1f5c922256752180d79c961aaf2d87db84c8accfcbcea35e434ca7
SHA512e463d764566f5f695438e773e0bd789ccf9c249b50993a07fe48a289bd8dd41fed4fb27211e343fbae5eb3e81d5a5b55574219d43a5c7d7ce8f5e1a2da5a964f
-
\Users\Admin\AppData\Local\Temp\aimbot 21.0.exeFilesize
276KB
MD5ceaf625fcce888f1ee609aa9023f5059
SHA14ffa529a3c6fca78c65ad89b6f16aef7519b983e
SHA256f95206dc9a1f5c922256752180d79c961aaf2d87db84c8accfcbcea35e434ca7
SHA512e463d764566f5f695438e773e0bd789ccf9c249b50993a07fe48a289bd8dd41fed4fb27211e343fbae5eb3e81d5a5b55574219d43a5c7d7ce8f5e1a2da5a964f
-
memory/700-95-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB
-
memory/912-57-0x0000000000000000-mapping.dmp
-
memory/912-71-0x0000000002640000-0x00000000026BB000-memory.dmpFilesize
492KB
-
memory/912-72-0x0000000002640000-0x00000000026BB000-memory.dmpFilesize
492KB
-
memory/1244-66-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1244-73-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1244-63-0x0000000000000000-mapping.dmp
-
memory/1244-96-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1588-92-0x0000000000000000-mapping.dmp
-
memory/1588-94-0x00000000720A1000-0x00000000720A3000-memory.dmpFilesize
8KB
-
memory/1824-70-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/1824-54-0x0000000075E31000-0x0000000075E33000-memory.dmpFilesize
8KB