neshta | e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45

Analysis

max time kernel
192s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2022 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
Size

600KB
MD5

5bfabaaf40312a75808a1ba556dba0d7
SHA1

699ce914a4309743fd35a147e6f0bedb643b31d0
SHA256

e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45
SHA512

f1d19952bf636703e6d50a2a35a2d44f608d06ed9abfe3bc2c6bc4a6950d8c974af81ad7cd5469ab53505717c0ba9aa6e9fac0599e44795f27af93ea49142f70

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 18 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	family_neshta
C:\odt\office2016setup.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	family_neshta
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exee73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exee73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

pid	process
5036	Logo1_.exe
3176	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
1528	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exee73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jsaddins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Mutable\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\UserControls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe

Drops file in Windows directory 5 IoCs

Processes:

e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exeLogo1_.exee73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
File created	C:\Windows\Logo1_.exe	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\svchost.com	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Logo1_.exe

pid	process
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe
5036	Logo1_.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exeLogo1_.execmd.exenet.exee73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

description	pid	process	target process
PID 3568 wrote to memory of 4420	3568	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	cmd.exe
PID 3568 wrote to memory of 4420	3568	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	cmd.exe
PID 3568 wrote to memory of 4420	3568	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	cmd.exe
PID 3568 wrote to memory of 5036	3568	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	Logo1_.exe
PID 3568 wrote to memory of 5036	3568	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	Logo1_.exe
PID 3568 wrote to memory of 5036	3568	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	Logo1_.exe
PID 5036 wrote to memory of 4220	5036	Logo1_.exe	net.exe
PID 5036 wrote to memory of 4220	5036	Logo1_.exe	net.exe
PID 5036 wrote to memory of 4220	5036	Logo1_.exe	net.exe
PID 4420 wrote to memory of 3176	4420	cmd.exe	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
PID 4420 wrote to memory of 3176	4420	cmd.exe	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
PID 4420 wrote to memory of 3176	4420	cmd.exe	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
PID 4220 wrote to memory of 3160	4220	net.exe	net1.exe
PID 4220 wrote to memory of 3160	4220	net.exe	net1.exe
PID 4220 wrote to memory of 3160	4220	net.exe	net1.exe
PID 3176 wrote to memory of 1528	3176	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
PID 3176 wrote to memory of 1528	3176	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
PID 3176 wrote to memory of 1528	3176	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe	e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
PID 5036 wrote to memory of 2164	5036	Logo1_.exe	Explorer.EXE
PID 5036 wrote to memory of 2164	5036	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2164
- C:\Users\Admin\AppData\Local\Temp\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
  "C:\Users\Admin\AppData\Local\Temp\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1BC5.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
      "C:\Users\Admin\AppData\Local\Temp\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe"
      4⤵
      Modifies system executable filetype association
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3176
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe"
        5⤵
        Executes dropped EXE
        
        PID:1528
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

Filesize
205KB

MD5
56ff12be16d244f02e3f4b068cc89879

SHA1
16e12c8c5dcfaf53f9af5ed786af929584dc51ba

SHA256
d2295874786de9adc99de34e35f68e5b0b3bfe6a5cae7145f07751da276709d2

SHA512
c29ea341010d16f9f35971be9f2f5b687450f3a745ad420693e734e96234d2dcd341e4e3ff01ce3b24647fe24a4e9fd7a94acb7fe947808943d5ade378b7e5a7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

Filesize
357KB

MD5
5365d04de9e5154c6cd64182d4f5a2cc

SHA1
f0f3d4e0a913a1f29a0197c3c23979c19b53ef3b

SHA256
5bdc8f05959a867afda280f69e56199e3d5e6b7f06d826c5c6703769b19c357c

SHA512
21bba0fd1086e6210ee242e799d3f89c0b316c8eff58c0312cf8a03cde0345950c4a2a758023460f1f7fcc6f0f664d1ca78e778a7523269b576cdb1479640781

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
e3120d144e43f1aeaa6d8c4bfa53e5ae

SHA1
d30e626b912487c320391af05e9ca80eb6a9650a

SHA256
8183aa7569f4f6a8cba2de6f8dac246a484206d82a3f20060ab04a75969a4a63

SHA512
0b9f9579da106aea824c2dd1b20d7dc4829156f733a6fa03d5c87be4bc5aa44ec2f91b3040aa40a093c1a1b1cd04deec32884ab0e7c007f03eaeab1fa7cfd09d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Filesize
2.5MB

MD5
6102024c37b02da45d9b46da88015629

SHA1
3b64a30de44c6c9dd5a50d6779b97512e2178e06

SHA256
2794822ce64b5fa724825d8e9de2266d5d9e7d2d201ffde3296fa1d986dcda5d

SHA512
bb3828a87e99cd53df133a0ea680879d6c6d2a29bb3290098afc3c5fbb89785912dcdc51fef09814064f551e629b38a7e294cbe6b1af9cc8ae9b7add3378da71

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

Filesize
116KB

MD5
b870cab2c7d3d1df58c7609c82cdcffb

SHA1
fa62d5dc2bf637d2aea0e5e44cb8e6482c22d380

SHA256
939bb5bdaeccd93fc1a6888709d49204ca4b30e8648b918c58b612802bdd5a14

SHA512
8bd5dd7fe5642326d6e81e747ce7df0ecb2478cbdb3d4242f7c9ce3291bdb763b4466c7f0d1406d9d07d11a2daa29b52e9001009f806463046416a558fde8bc8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

Filesize
5.7MB

MD5
266672445658747f11a57014fa37a6fc

SHA1
b3938b6f501ee3e82d488ccef8bfbc1c4703a590

SHA256
8a9543a84a3d10ef96a3c7153f4bda31e17b67f295371e2b845844615370ccc8

SHA512
db98e6bfdb10ca9c4cc8cb0b8a80b557c14c62fb14200032371777360f0aa6ed3163d221cc7256a1d0cb20d545be846470c395503fd8b096c6da42811665e410

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Filesize
213KB

MD5
7a478e925eb7f951ebede9e89f519587

SHA1
5c00701db0846836a75223942f00a21e1558037b

SHA256
0734b667c4ced8685f5b068357cb577c4e8af7afe093d627a5d089267d9ee0fe

SHA512
bb7c8b4c7255442cfc743aa984f99d5a9e1ffc51c8ba65c11fc15de5f35aa55186283f378e4c575d763e770b4b4c079fec6c0427aeb8dbfe628b7f119239573d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

Filesize
161KB

MD5
c5559621cc86b953ac23869f5f0edbb0

SHA1
8c77af7ed4b09f5e2930edf7cf4f18574be23270

SHA256
fcadfe891cf6d4afe27021f3068ec9fa1335bdea7c670592a629c40654e22635

SHA512
1bed81c9684c7f92990cf89f57a6a1695d7b7d32606eb9c3f05a191f498b48b51699421abec66f4baa5adfa4c1d798b2df09558bfad464be76ae2043c3aded3c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

Filesize
283KB

MD5
803e85196f3b3732d6b769ca3fe4bb9f

SHA1
7d60abe64a19892aca749193a9810bcc0fbde116

SHA256
499cc4614ce2d915ef6bee436610d0d3448cdb71a284f2b0e75e214daa360f13

SHA512
eeb5eb7970181e2346cf451681bbd4872b000ff0d08d0b3b205bf201dbfb69bf2c56de6074f0815a250770e566df19bc8772740a3bcdc906a21f5feddd8be6ef

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

Filesize
415KB

MD5
df7dcd2db00baa527c9634b87f5c27df

SHA1
3ac956c557c4a1c1d679aa8729ac5cb093d9bd71

SHA256
deb9c1cfbecc0f82c3a8e4945dc21a1a5a672201a6094ac398cf4fc4f7a9ca94

SHA512
9656d697598afbb53c4740cf517597df8d7decf36bf195e4f57b0550dc92b087790e238ce8c0fb386869094b1a66c5643709c81598bd5ffed9929843351394a0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

Filesize
154KB

MD5
6ab9c0a01c11c10ee5eacebd538c2962

SHA1
bdffc713f4d1d09547977f02801f1f13f5b259cf

SHA256
fe569bb76fe5210592fc816f2a96be5e3861878f56d884f9a7dee0b0a9f80567

SHA512
b8e0ba241799ef0d672ddffe6301b054051134bd4bd9287d2208fb8375f42eac4a2b2b600ec093effa6e25e8a2cca89553baf6120fd0570ecdf11e10f9658742

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
172KB

MD5
c3027ff4f3fe7a8e4726db8f366e0274

SHA1
009758af0e3bef1e85413c6c5a1172b41ee7df05

SHA256
66ad55cecfd298b9fe3f00aa24a8721b18521e5e076dc369dba1513961fcd709

SHA512
6276d2044b9ed33519420b4280f1257a3f7ef0ebb1da4c07adfaea3ce98bbdaf95e70a6c831dfeffb9de4199d6fe821b00e5f12af481eb1006d868c7ed7b2538

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

Filesize
307KB

MD5
055f67716daef9ccd57deb6f7fe021ec

SHA1
35e4d761c0f14ed657cdf4b4328a92cf38a6ed4e

SHA256
43e83e06f773543d49824ee4da03e8ba012c67118421b177f93ef78a802ddc73

SHA512
8a075a8d6864b32aa0f042f1223e1ea6a01c63ff8d151e72597a0929e5f94494109e12e42294db97eabaa2a50caf969b77010fb07ebf64ba4c1405d57907d1f9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

Filesize
122KB

MD5
4eda8c8cfdf54b2083ef1e2e2df61550

SHA1
5fd97331e79cc582c6bede4f6fc72b35fc0f6066

SHA256
1c8254b9da8452356f9af06b7ec971e2661143ecf62ae669b76397202d31d3e9

SHA512
4c708292e2d25c8b5109102d25e059d8a8bb0bb12084671076663667afce155d82c4fe7c2a1a91e6912c15ee4204dc7c28905b4f0e3d90f1fec5e057131073a4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

Filesize
177KB

MD5
544ffcef1929e947d202005a8a3f89a8

SHA1
0dd186f5f079eef69112d8ef559f064af97fe5b6

SHA256
332e7eaa815868260854e6b488f148ab1488f3fe02b16b82b04e1bccbd4f3179

SHA512
0ed6d9b1e1ea7d3271ff771d64ef9435a0137ff7b91b98de570d4ac8b2d6f849188fc677515ab803a27e282ef27b420a0d5c891439829ff7392a6e5b6153ba74

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1BC5.bat

Filesize
722B

MD5
1d6a5ed42da816d7b91c1e26589d792d

SHA1
2fa520cf6cb9f6f3940b7389ae663cb1194c111e

SHA256
627b91feef3c5391fe741d1d9c7448fcaa2e4a6574c88c3f40b18024b2ca180e

SHA512
6f205383afb870fb096912f8054d28fed66e0933200c2f358acfb9c985020dca3faaa6db421cbb96de8fc56a02e9e3fbcb3800130113af3585bddb38628e08fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

Filesize
530KB

MD5
3c283c1bfa1d88c2d4d52148ce62a7c7

SHA1
105e42357da43d8f1e0fdad715289e5bd53c0c6f

SHA256
e18c02ba480e83489976314a0a79441108faf4d246292eba1eadd36ce4fc6acd

SHA512
893ee54ef2c0b3103683828bbc9418a72b501df04be80e0b29ce6343cc28312987beb22bfa8e28172408579b6e5cfbf43e0ff21221228472e7960bcdeaf8a70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

Filesize
530KB

MD5
3c283c1bfa1d88c2d4d52148ce62a7c7

SHA1
105e42357da43d8f1e0fdad715289e5bd53c0c6f

SHA256
e18c02ba480e83489976314a0a79441108faf4d246292eba1eadd36ce4fc6acd

SHA512
893ee54ef2c0b3103683828bbc9418a72b501df04be80e0b29ce6343cc28312987beb22bfa8e28172408579b6e5cfbf43e0ff21221228472e7960bcdeaf8a70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe

Filesize
571KB

MD5
015b3b0b2f21a0fb142817dfba08138f

SHA1
198582cd4d1b1f405869dda43ce97f9f29131cce

SHA256
9a59150dc27c3492f305da6e2fe1bf9e6b566927336a03cbfe8c0bb80829a178

SHA512
0c0a643e8762bc6811c58aa7ec7d11f3df0b80707e4e67c306c2acaf4e8f7c109af423db06ea9b05bb9c62bd9821235c55e92a56a00445193d8e5b3fd09de11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e73a332118981d6b6ac09c9cdf0fb0012bb59772038361d5cff79aac26744b45.exe.exe

Filesize
571KB

MD5
015b3b0b2f21a0fb142817dfba08138f

SHA1
198582cd4d1b1f405869dda43ce97f9f29131cce

SHA256
9a59150dc27c3492f305da6e2fe1bf9e6b566927336a03cbfe8c0bb80829a178

SHA512
0c0a643e8762bc6811c58aa7ec7d11f3df0b80707e4e67c306c2acaf4e8f7c109af423db06ea9b05bb9c62bd9821235c55e92a56a00445193d8e5b3fd09de11c

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
0b50d3a56cf91764d2b15d824380d451

SHA1
f9e8e781089e297f7b3789325b7cffd42bdd89b5

SHA256
479ea3322ec1bcda95ef066794434c1f2f379a4b69e35a1c8491689a0b16168f

SHA512
0bc1b8e0d1a58064c2fad3d93cd409a4e3ee3d7c0c7a2a447404569ea0f084ef043c9c382577ce4f99a6baf4c77595d2a37dcae5629bd252b8537965918d30b4

Download Submit
C:\Windows\Logo1_.exe

Filesize
29KB

MD5
0b50d3a56cf91764d2b15d824380d451

SHA1
f9e8e781089e297f7b3789325b7cffd42bdd89b5

SHA256
479ea3322ec1bcda95ef066794434c1f2f379a4b69e35a1c8491689a0b16168f

SHA512
0bc1b8e0d1a58064c2fad3d93cd409a4e3ee3d7c0c7a2a447404569ea0f084ef043c9c382577ce4f99a6baf4c77595d2a37dcae5629bd252b8537965918d30b4

Download Submit
C:\Windows\rundl132.exe

Filesize
29KB

MD5
0b50d3a56cf91764d2b15d824380d451

SHA1
f9e8e781089e297f7b3789325b7cffd42bdd89b5

SHA256
479ea3322ec1bcda95ef066794434c1f2f379a4b69e35a1c8491689a0b16168f

SHA512
0bc1b8e0d1a58064c2fad3d93cd409a4e3ee3d7c0c7a2a447404569ea0f084ef043c9c382577ce4f99a6baf4c77595d2a37dcae5629bd252b8537965918d30b4

Download Submit
C:\odt\office2016setup.exe

Filesize
5.1MB

MD5
ebbca2456577ac11ddc0cd6dcd7d08bc

SHA1
d453ac551ecaa98efcc904571f08c9c7badf5f5f

SHA256
df0ee3ecf3274663ee96c4151a42ab8ec53291e02e04b81e497e9dec2e0f14b5

SHA512
8c60825c2334b695bf66c9c440bbd48ef85c619228ab989d7a2feb2b3eca7e2dd96fa60f1c5f690a2e07a6fed0ca7e7823e4333dc23f5cc487fdb64804b72178

Download Submit
memory/1528-144-0x0000000000000000-mapping.dmp

Download
memory/1528-147-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3160-143-0x0000000000000000-mapping.dmp

Download
memory/3176-140-0x0000000000000000-mapping.dmp

Download
memory/3568-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3568-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4220-139-0x0000000000000000-mapping.dmp

Download
memory/4420-131-0x0000000000000000-mapping.dmp

Download
memory/5036-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5036-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5036-132-0x0000000000000000-mapping.dmp

Download