neshta | 23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e

Analysis

max time kernel
145s
max time network
60s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-11-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
Size

178KB
MD5

41203c855ad40eb8f2805b6d07330170
SHA1

ff052d48fdae4a0fa2f0ea3ae6ad5a80396f0412
SHA256

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e
SHA512

96c4e5183f372cee9f334264c528c45e9a6f2fff811559c676dc40736434a17f883e8858c0fde8841e35d799fac18e303c439c807ce71cccc82f198c4000623b
SSDEEP

3072:sr85CsCY4MS+d6c0Q3p37DauwpkJrQ4gS8Qatcwdba:k9HY6+ddlDaTStaFba

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 3 IoCs

Processes:

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.execrap.exelsass.exe

pid process

316 23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
1508 crap.exe
1944 lsass.exe
Drops startup file 1 IoCs

Processes:

crap.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe crap.exe

pid	process
316	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
1508	crap.exe
1944	lsass.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe	crap.exe

Loads dropped DLL 4 IoCs

Processes:

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.execrap.exe

pid	process
976	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
1508	crap.exe
1508	crap.exe
976	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

Drops file in Windows directory 1 IoCs

Processes:

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

description ioc process

File opened for modification C:\Windows\svchost.com 23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

Modifies registry class 1 IoCs

Processes:

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

crap.exe

pid process

1508 crap.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pid process

1280
1280
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1280
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

lsass.exeexplorer.exe

pid process

1944 lsass.exe
1172 explorer.exe
1280
1280
1280
1280
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

crap.exelsass.exe

description pid process

Token: SeDebugPrivilege 1508 crap.exe
Token: SeDebugPrivilege 1944 lsass.exe
Token: SeDebugPrivilege 1280
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1280
1280
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1280
1280

pid	process
1508	crap.exe

pid	process
1280
1280

pid	process
1280

pid	process
1944	lsass.exe
1172	explorer.exe
1280
1280
1280
1280

description	pid	process
Token: SeDebugPrivilege	1508	crap.exe
Token: SeDebugPrivilege	1944	lsass.exe
Token: SeDebugPrivilege	1280

pid	process
1280
1280

pid	process
1280
1280

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.execmd.execrap.exelsass.exe

description	pid	process	target process
PID 976 wrote to memory of 316	976	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
PID 976 wrote to memory of 316	976	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
PID 976 wrote to memory of 316	976	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
PID 976 wrote to memory of 316	976	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
PID 316 wrote to memory of 700	316	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	cmd.exe
PID 316 wrote to memory of 700	316	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	cmd.exe
PID 316 wrote to memory of 700	316	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	cmd.exe
PID 316 wrote to memory of 700	316	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	cmd.exe
PID 316 wrote to memory of 700	316	23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe	cmd.exe
PID 700 wrote to memory of 1508	700	cmd.exe	crap.exe
PID 700 wrote to memory of 1508	700	cmd.exe	crap.exe
PID 700 wrote to memory of 1508	700	cmd.exe	crap.exe
PID 700 wrote to memory of 1508	700	cmd.exe	crap.exe
PID 1508 wrote to memory of 1944	1508	crap.exe	lsass.exe
PID 1508 wrote to memory of 1944	1508	crap.exe	lsass.exe
PID 1508 wrote to memory of 1944	1508	crap.exe	lsass.exe
PID 1508 wrote to memory of 1944	1508	crap.exe	lsass.exe
PID 1944 wrote to memory of 1172	1944	lsass.exe	explorer.exe
PID 1944 wrote to memory of 1172	1944	lsass.exe	explorer.exe
PID 1944 wrote to memory of 1172	1944	lsass.exe	explorer.exe
PID 1944 wrote to memory of 1172	1944	lsass.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
"C:\Users\Admin\AppData\Local\Temp\23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\3582-490\23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2398.tmp\update.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\crap.exe
crap.exe
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\explorer.exe
C:\Windows\explorer.exe
6⤵
- Suspicious behavior: MapViewOfSection
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2398.tmp\update.bat

Filesize
14B

MD5
6c397f8f848ab91229503e14f985a22f

SHA1
fa57522028691d0f0d3bd0026251073bc2969129

SHA256
6de8a4daa00dc189dcaad22aee58e6bb6bba924c90157607f4bfd4e976fb5b42

SHA512
fe80a41ca738ab7d5855c05da65d6f22ab00df37d47f0df317387e075341ed5bc8e8959356c88087e8bd9a4a73bbec7429aa81722fc7911479771a96ac12fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

Filesize
138KB

MD5
de381a33319c952d815b791064e65685

SHA1
178f5d718d515e27ff17ccf3886914b1f586d969

SHA256
77b5ede735710506ef1fb4cbd0fc0c799136d0c579f510ed944f71dce6694dc8

SHA512
1fea5c1576d6c5db5d0f04e1e207093813e87542b148443596d2c001aad34c584b2bab18861f10024395195728bcfcc54fbbdcf0fb77b78c225ffd0cd22cb3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\crap.exe

Filesize
93KB

MD5
0e7f92a7c0ee9cac008cd506ba10bcb1

SHA1
d5e7572f76b37d1d928fd1371d37b9b124bd0a68

SHA256
94deeb50e13f7867b04182c759476758c8c800dd03733c3cba3e27f5f29aa470

SHA512
31384b870e1cea4a2794d9913e5d05088a5e171bb2c9af7759c3495e1645d3b1cd2178eadc930dede32092dcfeb3e3c32ab15c619460b657c2556ef3e41726d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\crap.exe

Filesize
93KB

MD5
0e7f92a7c0ee9cac008cd506ba10bcb1

SHA1
d5e7572f76b37d1d928fd1371d37b9b124bd0a68

SHA256
94deeb50e13f7867b04182c759476758c8c800dd03733c3cba3e27f5f29aa470

SHA512
31384b870e1cea4a2794d9913e5d05088a5e171bb2c9af7759c3495e1645d3b1cd2178eadc930dede32092dcfeb3e3c32ab15c619460b657c2556ef3e41726d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
0e7f92a7c0ee9cac008cd506ba10bcb1

SHA1
d5e7572f76b37d1d928fd1371d37b9b124bd0a68

SHA256
94deeb50e13f7867b04182c759476758c8c800dd03733c3cba3e27f5f29aa470

SHA512
31384b870e1cea4a2794d9913e5d05088a5e171bb2c9af7759c3495e1645d3b1cd2178eadc930dede32092dcfeb3e3c32ab15c619460b657c2556ef3e41726d5

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\23c6008e50c0b6a655d9f61c8f7f6e5f0bc1410cfe5bf279ca4ee4d67fe4d09e.exe

Filesize
138KB

MD5
de381a33319c952d815b791064e65685

SHA1
178f5d718d515e27ff17ccf3886914b1f586d969

SHA256
77b5ede735710506ef1fb4cbd0fc0c799136d0c579f510ed944f71dce6694dc8

SHA512
1fea5c1576d6c5db5d0f04e1e207093813e87542b148443596d2c001aad34c584b2bab18861f10024395195728bcfcc54fbbdcf0fb77b78c225ffd0cd22cb3b0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
0e7f92a7c0ee9cac008cd506ba10bcb1

SHA1
d5e7572f76b37d1d928fd1371d37b9b124bd0a68

SHA256
94deeb50e13f7867b04182c759476758c8c800dd03733c3cba3e27f5f29aa470

SHA512
31384b870e1cea4a2794d9913e5d05088a5e171bb2c9af7759c3495e1645d3b1cd2178eadc930dede32092dcfeb3e3c32ab15c619460b657c2556ef3e41726d5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lsass.exe

Filesize
93KB

MD5
0e7f92a7c0ee9cac008cd506ba10bcb1

SHA1
d5e7572f76b37d1d928fd1371d37b9b124bd0a68

SHA256
94deeb50e13f7867b04182c759476758c8c800dd03733c3cba3e27f5f29aa470

SHA512
31384b870e1cea4a2794d9913e5d05088a5e171bb2c9af7759c3495e1645d3b1cd2178eadc930dede32092dcfeb3e3c32ab15c619460b657c2556ef3e41726d5

Download Submit
memory/316-75-0x0000000140000000-0x000000014004C000-memory.dmp

Filesize
304KB

Download
memory/316-58-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download
memory/316-56-0x0000000000000000-mapping.dmp

Download
memory/316-77-0x0000000001C70000-0x0000000001C82000-memory.dmp

Filesize
72KB

Download
memory/316-76-0x0000000001D80000-0x0000000001DA7000-memory.dmp

Filesize
156KB

Download
memory/700-59-0x0000000000000000-mapping.dmp

Download
memory/976-83-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/976-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/976-80-0x0000000002400000-0x000000000304A000-memory.dmp

Filesize
12.3MB

Download
memory/976-78-0x0000000002600000-0x000000000264C000-memory.dmp

Filesize
304KB

Download
memory/976-85-0x0000000002600000-0x000000000264C000-memory.dmp

Filesize
304KB

Download
memory/1124-81-0x0000000000320000-0x0000000000347000-memory.dmp

Filesize
156KB

Download
memory/1172-74-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/1172-71-0x0000000000000000-mapping.dmp

Download
memory/1204-82-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1280-79-0x00000000026B0000-0x00000000026D7000-memory.dmp

Filesize
156KB

Download
memory/1508-68-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1508-62-0x0000000000000000-mapping.dmp

Download
memory/1944-73-0x00000000003A0000-0x00000000003C7000-memory.dmp

Filesize
156KB

Download
memory/1944-72-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1944-67-0x0000000000000000-mapping.dmp

Download