neshta | dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe

Analysis

max time kernel
88s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-10-2022 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
Size

871KB
MD5

743f9d12268b032178bf84da71e5b540
SHA1

205f65c40d81c4f21f3b8815301b8e159e33d7a4
SHA256

dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe
SHA512

14c5488bcbb0f4d93d8a947581ea1d4329d1fd069dfddba8fb658b7079c8bfc94ff8b15d7096d7e2fd9c4c2437e258480dd0c732d1dfc2d43368e09012b967ff
SSDEEP

12288:nKjZA27e8blyJx/QljSIO6duGgeV28xLZi8dywvP5XuyH/3jOIwI3:Kj26hyJxS+Ize4xti83u+TOIwI3

Score

10^/10

neshta persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta payload 19 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	family_neshta
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 6 IoCs

Processes:

dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exesvchost.compv.exesvchost.comProcExp.exeProcExp64.exe

pid	process
1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
576	svchost.com
1488	pv.exe
552	svchost.com
1340	ProcExp.exe
1908	ProcExp64.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	upx
behavioral1/memory/1152-61-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1152-106-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exesvchost.comsvchost.comProcExp.exe

pid	process
1492	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
576	svchost.com
576	svchost.com
576	svchost.com
1492	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
552	svchost.com
552	svchost.com
1340	ProcExp.exe
1424

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comdcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com

Drops file in Windows directory 5 IoCs

Processes:

svchost.comsvchost.comdcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

pv.exe

pid process

1488 pv.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pv.exe

description pid process

Token: SeDebugPrivilege 1488 pv.exe

pid	process
1488	pv.exe

description	pid	process
Token: SeDebugPrivilege	1488	pv.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exedcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exesvchost.comsvchost.comProcExp.exe

description	pid	process	target process
PID 1492 wrote to memory of 1152	1492	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
PID 1492 wrote to memory of 1152	1492	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
PID 1492 wrote to memory of 1152	1492	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
PID 1492 wrote to memory of 1152	1492	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
PID 1152 wrote to memory of 576	1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	svchost.com
PID 1152 wrote to memory of 576	1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	svchost.com
PID 1152 wrote to memory of 576	1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	svchost.com
PID 1152 wrote to memory of 576	1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	svchost.com
PID 576 wrote to memory of 1488	576	svchost.com	pv.exe
PID 576 wrote to memory of 1488	576	svchost.com	pv.exe
PID 576 wrote to memory of 1488	576	svchost.com	pv.exe
PID 576 wrote to memory of 1488	576	svchost.com	pv.exe
PID 1152 wrote to memory of 552	1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	svchost.com
PID 1152 wrote to memory of 552	1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	svchost.com
PID 1152 wrote to memory of 552	1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	svchost.com
PID 1152 wrote to memory of 552	1152	dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe	svchost.com
PID 552 wrote to memory of 1340	552	svchost.com	ProcExp.exe
PID 552 wrote to memory of 1340	552	svchost.com	ProcExp.exe
PID 552 wrote to memory of 1340	552	svchost.com	ProcExp.exe
PID 552 wrote to memory of 1340	552	svchost.com	ProcExp.exe
PID 1340 wrote to memory of 1908	1340	ProcExp.exe	ProcExp64.exe
PID 1340 wrote to memory of 1908	1340	ProcExp.exe	ProcExp64.exe
PID 1340 wrote to memory of 1908	1340	ProcExp.exe	ProcExp64.exe
PID 1340 wrote to memory of 1908	1340	ProcExp.exe	ProcExp64.exe

C:\Users\Admin\AppData\Local\Temp\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
"C:\Users\Admin\AppData\Local\Temp\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\3582-490\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pv.exe" -kf procexp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pv.exe
      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pv.exe -kf procexp.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1488
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ProcExp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ProcExp.exe
      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ProcExp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\ProcExp64.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ProcExp.exe
        5⤵
        Executes dropped EXE
        
        PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
326KB

MD5
5987f7c82fb40510ced50b62938f14ea

SHA1
ee53b958c92a83618344155ad9a4e7024b984cf4

SHA256
96c052a763af458b94cd865c7990d36ab6c8d31eb01370f6772d153d897e0aa4

SHA512
6fea9aea1b567ded824946547a136257d772098f771086d684bdbcd0bfc22f34ac9dd1faa19af6a9f9182960d3d19a41d88e54632a50b23c0a691bf1cfb38fe1

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
422KB

MD5
8bb6d1d1f40099aa6a629fbb036a8cb3

SHA1
8b388ca335032e3b04b0a7d1351ce25c61b4ba52

SHA256
a89419fc4ba9bf5f7ac6b348428ee57403fec3b5964f9e49b6eea49d779f4071

SHA512
3015b210c79a4c61143fa56d62caabc5aebfe8d95b20753aa7f52ed0bcd4faf801134e5ee614c3714d95da666e0548f88db4d3df96d6d7e0e124c5a5add23a81

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
414KB

MD5
e44497b628f663fd0ae07c9b4390452d

SHA1
d850535c67bed4d6bb158b9a3eb595be912f9c62

SHA256
5ab884509927dedddbd6e65e539436638be2d2267d7593de60ec1b4686df3e80

SHA512
5028f949b3e75534481c059f115efefc87331becc70221408de2408e7148db91b9357fb5b44a43c5cf76d1a389c011082cff28b5f0aea5b0822ae55e98be7105

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
140KB

MD5
e584c29c854081c78a366fbcc6f7f84c

SHA1
32b7e552e5916b43d57d7b088c543b77f1067338

SHA256
b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450

SHA512
c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
194KB

MD5
7ed0f5802e7fc1243b7c82862c5bf87c

SHA1
e16741b5050df662da25419da6cf80517fc2a46a

SHA256
3342cf175e2c42ee691ba58cf7f6d6db3116f615b5483327fed706067b265595

SHA512
a006888ed6dbd9dd548f84d57c84e3baccc1ee5c09d2d127ce26c3f01af59e8531bc43b4f986aa45d8853f3d71a87dec2adbd34bd75a182e4f45111c69339fef

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
e19544c111fefa491cfe53b99f8bebc2

SHA1
a05e096689dd82751ccd0a4eec0db54a5f972830

SHA256
82a14caee30a4f86dd143015fc852220a36cc96cdbb9f65aaca87d80f2c43762

SHA512
0f017e3aeea8de42195687c2745b9eccc174e6430149edf22a8f4b5fc24e7881654ba7c55ed2327b9c710787dffa3c438c0d99b06e7e12f6126bc3e86392d4db

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
a1e4ddf8b1d4e3a203b1bd345d995fdd

SHA1
b1fda8de6ce5bc109f209dc3c4e740cedc54b6b1

SHA256
5690aa925ff9eb0d5825717810cbdf75d3403348d5a918ec754beb69a2679b3a

SHA512
0b68b4079bfe317e7b056c76fc985e867f37648ea86b849e44e8a2815b24d3a7ba50cd1d1d910536a224c6fb4f9d22f4bfb5f870d381d151fd6f90307d479ae8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
e19544c111fefa491cfe53b99f8bebc2

SHA1
a05e096689dd82751ccd0a4eec0db54a5f972830

SHA256
82a14caee30a4f86dd143015fc852220a36cc96cdbb9f65aaca87d80f2c43762

SHA512
0f017e3aeea8de42195687c2745b9eccc174e6430149edf22a8f4b5fc24e7881654ba7c55ed2327b9c710787dffa3c438c0d99b06e7e12f6126bc3e86392d4db

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
c19656d84c609115af1f4cd9b45716be

SHA1
554522e1eafe3521e83de781e4bd04b8688f24db

SHA256
319ac5343388b78dd7edcdb2ed6a0c5080593f43bda1acbfd80cd2e390fe6fb5

SHA512
6ace4663cf43ace753599d36bf3541ea6e8913952d90719ae489f393678a51fea7ec70cddea6a6ab4c45ed146b93bfc964e3c82d6bd80b281a6955f2fb8a6167

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
349c6f2f4e32553e8fea4d29772e40e6

SHA1
e2f7856aa519006f8cbc9943cc3fb34c4461932d

SHA256
7c4fd44a9cda339ac3e7fa93b0b2a24b1e0ac16996dbb19cfdcd6323170b1fd3

SHA512
0b9f9aafb1a682f9e5a5dccae0dc19e3cf21c5d2aa4df3e22311f5744255f668e9a1e11ee21f2656d9f45236c484e0b7b460a57db1c34f2d344bd4cbece42588

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
f6636e7fd493f59a5511f08894bba153

SHA1
3618061817fdf1155acc0c99b7639b30e3b6936c

SHA256
61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

SHA512
bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
536KB

MD5
2acb54dd83be1957482f0df591ade3f5

SHA1
c6e9ebe71564c55a7260d1e8f45b11bd125d95cc

SHA256
af7961a615915aa0c59b735254e537004eab00e57466585390bbb0e29a5948a6

SHA512
011a2ca1d42e4bc26db7353ca79a9800cb9c9be271c531ce2afbb230b8487729da02c307f65a52f828459ca1b3aa4326c576bb4364f70b149e8b4f479b06cc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

Filesize
830KB

MD5
5423688101129b7381362ec67f2ebf07

SHA1
5600f00c0a56b1f5ff89e9406b873c45fb57eb48

SHA256
ad6510b49ecd4ac96e9444ef88e0405c1f0e6902628f64616cdcec112f0583f5

SHA512
1abf92be9e2060b8d9d0228484f6d937e073df77b2f7880965117b2455a187d7a9fe804e4ab9a3ad384504d3e57bbbe863577ddbc6ac26fe3cae772d0e8bc8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

Filesize
830KB

MD5
5423688101129b7381362ec67f2ebf07

SHA1
5600f00c0a56b1f5ff89e9406b873c45fb57eb48

SHA256
ad6510b49ecd4ac96e9444ef88e0405c1f0e6902628f64616cdcec112f0583f5

SHA512
1abf92be9e2060b8d9d0228484f6d937e073df77b2f7880965117b2455a187d7a9fe804e4ab9a3ad384504d3e57bbbe863577ddbc6ac26fe3cae772d0e8bc8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ProcExp.exe

Filesize
2.7MB

MD5
4c3152771f439cf1f4bd5852d83d3538

SHA1
a5418b660f6557d302b2e76ce3a77c56120107c5

SHA256
85a2f1317a38efe36411992c3b8e7e4e014f98cafda1ff2cc2a7b4996f262f24

SHA512
063f01b076ce7c634d2af9086e6cd66890adafd6e6c11f428dd6fa5ae588e5f35924a0fd23f69146c9107500bd642c7d3b760d35dcaaa2df8f1b327d322f719d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\procexp.exe

Filesize
2.7MB

MD5
4c3152771f439cf1f4bd5852d83d3538

SHA1
a5418b660f6557d302b2e76ce3a77c56120107c5

SHA256
85a2f1317a38efe36411992c3b8e7e4e014f98cafda1ff2cc2a7b4996f262f24

SHA512
063f01b076ce7c634d2af9086e6cd66890adafd6e6c11f428dd6fa5ae588e5f35924a0fd23f69146c9107500bd642c7d3b760d35dcaaa2df8f1b327d322f719d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pv.exe

Filesize
60KB

MD5
5daf7081a4bb112fa3f1915819330a3e

SHA1
573836139a09310749633889913264f870e3a933

SHA256
ee6659688277d484ec857f9e1b5076f882ba314f4037b6ff24a8fa8ad270c6e8

SHA512
aa0d8814617ac72cd16e9ae119a55942f151637efb2e9c1bfe87480b5116741f4001f723b46ed533b8c44a8fd41859b8affbdd8a7060c0ceea4e1f67001a42a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pv.exe

Filesize
60KB

MD5
5daf7081a4bb112fa3f1915819330a3e

SHA1
573836139a09310749633889913264f870e3a933

SHA256
ee6659688277d484ec857f9e1b5076f882ba314f4037b6ff24a8fa8ad270c6e8

SHA512
aa0d8814617ac72cd16e9ae119a55942f151637efb2e9c1bfe87480b5116741f4001f723b46ed533b8c44a8fd41859b8affbdd8a7060c0ceea4e1f67001a42a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcExp64.exe

Filesize
1.5MB

MD5
2b3334500f3c0c8e351770c3f1053609

SHA1
a56f87b992a2c77034af39d84a9489bcd7812886

SHA256
fc199c705a8f1d3129515a7d25dc712c456c8069c722e8628b3331e040b8140d

SHA512
d0cb37881a973dee7e7ef19af3369224fa7422eb78138c46852ca342d8279998cac2e8e6797693c1ac6ef1e7c57d0fedc6ff5fdffa182a011df0664c2a5f1c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
2aaccc04138b0fd959158bb98559b18a

SHA1
59f69547050be658f806d5f90c233978f2116c3e

SHA256
cb8a280aa0ab6fa3063b0a3396120f1db92a12e0afdfba2cd677b38b9960d155

SHA512
ce9a50a7960f66df405f1204fc46da04d62d01afcfbca174385820e149d8260bcd3f0ab9be5f0a00145d1f5f666a51f9aed4d40715894eb54b9f6885e871e0c8

Download Submit
C:\Windows\directx.sys

Filesize
67B

MD5
22de14350159a924a9b77e55780f2dbc

SHA1
6c7955424bb6b9d4b4ef5e204de4bde4c26663c6

SHA256
12d531388dd5082b4b7390f4c8ac1bfda6a628ed470981c436fadd92bb3cff0b

SHA512
cd72ad1648053e9f1b1fc116a582114aff8fe61f877136f440e5ae04f9db0790a9b59b5dbdbbd6ea28f9d2f1f1efc4459d439518c394505d93318a1bf58f66f6

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
d875bcdbffd24845cf27e20171ca6cb9

SHA1
fb6f500e3237d92b355e99402e426863104ba4fc

SHA256
67ba4e0b69955cb0f48b75d42214faf3e8ea246aa3ae1dc115e92a6b23f52791

SHA512
a1f89c49680b81f0dd88b7865ee7e502bd39a29476ee38ebd088778b52f6e5971df8ca58ea6bc62e38bcf4766fb92b629663b8aa9dafcbdd58ca91727a5d6686

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
d875bcdbffd24845cf27e20171ca6cb9

SHA1
fb6f500e3237d92b355e99402e426863104ba4fc

SHA256
67ba4e0b69955cb0f48b75d42214faf3e8ea246aa3ae1dc115e92a6b23f52791

SHA512
a1f89c49680b81f0dd88b7865ee7e502bd39a29476ee38ebd088778b52f6e5971df8ca58ea6bc62e38bcf4766fb92b629663b8aa9dafcbdd58ca91727a5d6686

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
d875bcdbffd24845cf27e20171ca6cb9

SHA1
fb6f500e3237d92b355e99402e426863104ba4fc

SHA256
67ba4e0b69955cb0f48b75d42214faf3e8ea246aa3ae1dc115e92a6b23f52791

SHA512
a1f89c49680b81f0dd88b7865ee7e502bd39a29476ee38ebd088778b52f6e5971df8ca58ea6bc62e38bcf4766fb92b629663b8aa9dafcbdd58ca91727a5d6686

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\dcfa2dc958efab924a16785ab725aa25ae4ae8f322cf37199455cdb1892817fe.exe

Filesize
830KB

MD5
5423688101129b7381362ec67f2ebf07

SHA1
5600f00c0a56b1f5ff89e9406b873c45fb57eb48

SHA256
ad6510b49ecd4ac96e9444ef88e0405c1f0e6902628f64616cdcec112f0583f5

SHA512
1abf92be9e2060b8d9d0228484f6d937e073df77b2f7880965117b2455a187d7a9fe804e4ab9a3ad384504d3e57bbbe863577ddbc6ac26fe3cae772d0e8bc8cf

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ProcExp.exe

Filesize
2.7MB

MD5
4c3152771f439cf1f4bd5852d83d3538

SHA1
a5418b660f6557d302b2e76ce3a77c56120107c5

SHA256
85a2f1317a38efe36411992c3b8e7e4e014f98cafda1ff2cc2a7b4996f262f24

SHA512
063f01b076ce7c634d2af9086e6cd66890adafd6e6c11f428dd6fa5ae588e5f35924a0fd23f69146c9107500bd642c7d3b760d35dcaaa2df8f1b327d322f719d

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ProcExp.exe

Filesize
2.7MB

MD5
4c3152771f439cf1f4bd5852d83d3538

SHA1
a5418b660f6557d302b2e76ce3a77c56120107c5

SHA256
85a2f1317a38efe36411992c3b8e7e4e014f98cafda1ff2cc2a7b4996f262f24

SHA512
063f01b076ce7c634d2af9086e6cd66890adafd6e6c11f428dd6fa5ae588e5f35924a0fd23f69146c9107500bd642c7d3b760d35dcaaa2df8f1b327d322f719d

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pv.exe

Filesize
60KB

MD5
5daf7081a4bb112fa3f1915819330a3e

SHA1
573836139a09310749633889913264f870e3a933

SHA256
ee6659688277d484ec857f9e1b5076f882ba314f4037b6ff24a8fa8ad270c6e8

SHA512
aa0d8814617ac72cd16e9ae119a55942f151637efb2e9c1bfe87480b5116741f4001f723b46ed533b8c44a8fd41859b8affbdd8a7060c0ceea4e1f67001a42a8

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pv.exe

Filesize
60KB

MD5
5daf7081a4bb112fa3f1915819330a3e

SHA1
573836139a09310749633889913264f870e3a933

SHA256
ee6659688277d484ec857f9e1b5076f882ba314f4037b6ff24a8fa8ad270c6e8

SHA512
aa0d8814617ac72cd16e9ae119a55942f151637efb2e9c1bfe87480b5116741f4001f723b46ed533b8c44a8fd41859b8affbdd8a7060c0ceea4e1f67001a42a8

Download Submit
\Users\Admin\AppData\Local\Temp\ProcExp64.exe

Filesize
1.5MB

MD5
2b3334500f3c0c8e351770c3f1053609

SHA1
a56f87b992a2c77034af39d84a9489bcd7812886

SHA256
fc199c705a8f1d3129515a7d25dc712c456c8069c722e8628b3331e040b8140d

SHA512
d0cb37881a973dee7e7ef19af3369224fa7422eb78138c46852ca342d8279998cac2e8e6797693c1ac6ef1e7c57d0fedc6ff5fdffa182a011df0664c2a5f1c8e

Download Submit
\Users\Admin\AppData\Local\Temp\ProcExp64.exe

Filesize
1.5MB

MD5
2b3334500f3c0c8e351770c3f1053609

SHA1
a56f87b992a2c77034af39d84a9489bcd7812886

SHA256
fc199c705a8f1d3129515a7d25dc712c456c8069c722e8628b3331e040b8140d

SHA512
d0cb37881a973dee7e7ef19af3369224fa7422eb78138c46852ca342d8279998cac2e8e6797693c1ac6ef1e7c57d0fedc6ff5fdffa182a011df0664c2a5f1c8e

Download Submit
memory/552-91-0x0000000000000000-mapping.dmp

Download
memory/576-63-0x0000000000000000-mapping.dmp

Download
memory/1152-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1152-56-0x0000000000000000-mapping.dmp

Download
memory/1152-106-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1340-97-0x0000000000000000-mapping.dmp

Download
memory/1488-70-0x0000000000000000-mapping.dmp

Download
memory/1492-60-0x0000000002640000-0x000000000266A000-memory.dmp

Filesize
168KB

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-90-0x0000000002640000-0x000000000266A000-memory.dmp

Filesize
168KB

Download
memory/1908-103-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1908-101-0x0000000000000000-mapping.dmp

Download