neshta | 651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098

Analysis

max time kernel
185s
max time network
230s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Size

263KB
MD5

41e602458690a89ea73aa0396310ca70
SHA1

4d6cb371459fd058822d33ddbe7700196e795477
SHA256

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098
SHA512

7f0e24facb267bab08db18ffb0d81b436dcee696345ea4745a80d5d52762e1970046e9ab210165e5c821f43ecbafcc2111aaf128f14af9c222cc21c02fdf66a4
SSDEEP

6144:k9Yzar9UGRZhirjkyvBR/wxE4UhsY0/0hhVaKgQ:TzmmGbhiH5NwS4UhsB/mTB

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exeahwa.exe

pid process

652 651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
2012 ahwa.exe

pid	process
652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
2012	ahwa.exe

Loads dropped DLL 7 IoCs

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exeahwa.exe

pid	process
2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
2012	ahwa.exe
2012	ahwa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ahwa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	ahwa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	ahwa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wyviruto = "C:\\Users\\Admin\\AppData\\Roaming\\Uscu\\ahwa.exe"	ahwa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

description pid process target process

PID 652 set thread context of 1972 652 651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe cmd.exe

description	pid	process	target process
PID 652 set thread context of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Drops file in Windows directory 1 IoCs

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

description ioc process

File opened for modification C:\Windows\svchost.com 651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Modifies registry class 1 IoCs

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ahwa.exe

pid	process
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe
2012	ahwa.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeSecurityPrivilege	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeSecurityPrivilege	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeSecurityPrivilege	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeSecurityPrivilege	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeSecurityPrivilege	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeSecurityPrivilege	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeSecurityPrivilege	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeSecurityPrivilege	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
Token: SeManageVolumePrivilege	556	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

556 WinMail.exe

pid	process
556	WinMail.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exeahwa.exe

description	pid	process	target process
PID 2028 wrote to memory of 652	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2028 wrote to memory of 652	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2028 wrote to memory of 652	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2028 wrote to memory of 652	2028	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 652 wrote to memory of 2012	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	ahwa.exe
PID 652 wrote to memory of 2012	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	ahwa.exe
PID 652 wrote to memory of 2012	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	ahwa.exe
PID 652 wrote to memory of 2012	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	ahwa.exe
PID 2012 wrote to memory of 1128	2012	ahwa.exe	taskhost.exe
PID 2012 wrote to memory of 1128	2012	ahwa.exe	taskhost.exe
PID 2012 wrote to memory of 1128	2012	ahwa.exe	taskhost.exe
PID 2012 wrote to memory of 1128	2012	ahwa.exe	taskhost.exe
PID 2012 wrote to memory of 1128	2012	ahwa.exe	taskhost.exe
PID 2012 wrote to memory of 1180	2012	ahwa.exe	Dwm.exe
PID 2012 wrote to memory of 1180	2012	ahwa.exe	Dwm.exe
PID 2012 wrote to memory of 1180	2012	ahwa.exe	Dwm.exe
PID 2012 wrote to memory of 1180	2012	ahwa.exe	Dwm.exe
PID 2012 wrote to memory of 1180	2012	ahwa.exe	Dwm.exe
PID 2012 wrote to memory of 1252	2012	ahwa.exe	Explorer.EXE
PID 2012 wrote to memory of 1252	2012	ahwa.exe	Explorer.EXE
PID 2012 wrote to memory of 1252	2012	ahwa.exe	Explorer.EXE
PID 2012 wrote to memory of 1252	2012	ahwa.exe	Explorer.EXE
PID 2012 wrote to memory of 1252	2012	ahwa.exe	Explorer.EXE
PID 2012 wrote to memory of 2028	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 2028	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 2028	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 2028	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 2028	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 652	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 652	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 652	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 652	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 2012 wrote to memory of 652	2012	ahwa.exe	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 652 wrote to memory of 1972	652	651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe	cmd.exe
PID 2012 wrote to memory of 480	2012	ahwa.exe	conhost.exe
PID 2012 wrote to memory of 480	2012	ahwa.exe	conhost.exe
PID 2012 wrote to memory of 480	2012	ahwa.exe	conhost.exe
PID 2012 wrote to memory of 480	2012	ahwa.exe	conhost.exe
PID 2012 wrote to memory of 480	2012	ahwa.exe	conhost.exe
PID 2012 wrote to memory of 904	2012	ahwa.exe	DllHost.exe
PID 2012 wrote to memory of 904	2012	ahwa.exe	DllHost.exe
PID 2012 wrote to memory of 904	2012	ahwa.exe	DllHost.exe
PID 2012 wrote to memory of 904	2012	ahwa.exe	DllHost.exe
PID 2012 wrote to memory of 904	2012	ahwa.exe	DllHost.exe
PID 2012 wrote to memory of 556	2012	ahwa.exe	WinMail.exe
PID 2012 wrote to memory of 556	2012	ahwa.exe	WinMail.exe
PID 2012 wrote to memory of 556	2012	ahwa.exe	WinMail.exe
PID 2012 wrote to memory of 556	2012	ahwa.exe	WinMail.exe
PID 2012 wrote to memory of 556	2012	ahwa.exe	WinMail.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
"C:\Users\Admin\AppData\Local\Temp\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe"
2⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\3582-490\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Roaming\Uscu\ahwa.exe
"C:\Users\Admin\AppData\Roaming\Uscu\ahwa.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9a3413d4.bat"
4⤵
PID:1972

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6330519331059707142-30142596513221398461067127187929134563935232006-60018498"
1⤵
PID:480

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:904

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Filesize
223KB

MD5
9c13eac3b71ecbab06fd1526f453d738

SHA1
08bf76f7839b75277a905bc0fb40d5bbee36e00c

SHA256
1cf252968b21e4e2ec151ba7c4affc4f13fe33330f03d35a7694b1e83b9a4b96

SHA512
8f7d8ab7101323aeaa4323290f5f226d3fc7072311589171d545c14171631dd91bccac80791bda62a66879d95d8554940a611c1ef23bf699a4f7d2ce7f3bfb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Filesize
223KB

MD5
9c13eac3b71ecbab06fd1526f453d738

SHA1
08bf76f7839b75277a905bc0fb40d5bbee36e00c

SHA256
1cf252968b21e4e2ec151ba7c4affc4f13fe33330f03d35a7694b1e83b9a4b96

SHA512
8f7d8ab7101323aeaa4323290f5f226d3fc7072311589171d545c14171631dd91bccac80791bda62a66879d95d8554940a611c1ef23bf699a4f7d2ce7f3bfb74

Download Submit
C:\Users\Admin\AppData\Roaming\Uscu\ahwa.exe

Filesize
223KB

MD5
4fa0c77e95c38e6fb137cc006e00f66e

SHA1
2e3698ca6a928174ee92583034cc82099d0a98e4

SHA256
ccfb6f0910f6f1f9dfbf62b7f35858ce556596659d21d8b2a58c7ec4d0966f42

SHA512
2910e113ab0dfe5af3430b9d9117dde6c26012f57c748663fec886eb1e1ca1d20ffa9c894360f8e924bd262df6018e64c2020aaaa5cd0fb532bd7dd028cd96bb

Download Submit
C:\Users\Admin\AppData\Roaming\Uscu\ahwa.exe

Filesize
223KB

MD5
4fa0c77e95c38e6fb137cc006e00f66e

SHA1
2e3698ca6a928174ee92583034cc82099d0a98e4

SHA256
ccfb6f0910f6f1f9dfbf62b7f35858ce556596659d21d8b2a58c7ec4d0966f42

SHA512
2910e113ab0dfe5af3430b9d9117dde6c26012f57c748663fec886eb1e1ca1d20ffa9c894360f8e924bd262df6018e64c2020aaaa5cd0fb532bd7dd028cd96bb

Download Submit
C:\Users\Admin\AppData\Roaming\Ybxao\ripi.idp

Filesize
4KB

MD5
0d1a9a779a0881e5657fb1ed5214b327

SHA1
41f757bbad3cc76ccb14a24283f1e72da688ddc4

SHA256
83b81fd58eed14af34151bfc286370641b3e31695ee58ddf8f142b555ae509e1

SHA512
ea5b87c8dae49436aae5775963b93457bd8cafaa72a2303ac2664e811a4931e2a9ac0d7f0e7c7ec4a7dcc4089376f6b7c04cabcb23dfb63917c66f7c2f91cee0

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Filesize
223KB

MD5
9c13eac3b71ecbab06fd1526f453d738

SHA1
08bf76f7839b75277a905bc0fb40d5bbee36e00c

SHA256
1cf252968b21e4e2ec151ba7c4affc4f13fe33330f03d35a7694b1e83b9a4b96

SHA512
8f7d8ab7101323aeaa4323290f5f226d3fc7072311589171d545c14171631dd91bccac80791bda62a66879d95d8554940a611c1ef23bf699a4f7d2ce7f3bfb74

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Filesize
223KB

MD5
9c13eac3b71ecbab06fd1526f453d738

SHA1
08bf76f7839b75277a905bc0fb40d5bbee36e00c

SHA256
1cf252968b21e4e2ec151ba7c4affc4f13fe33330f03d35a7694b1e83b9a4b96

SHA512
8f7d8ab7101323aeaa4323290f5f226d3fc7072311589171d545c14171631dd91bccac80791bda62a66879d95d8554940a611c1ef23bf699a4f7d2ce7f3bfb74

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Filesize
223KB

MD5
9c13eac3b71ecbab06fd1526f453d738

SHA1
08bf76f7839b75277a905bc0fb40d5bbee36e00c

SHA256
1cf252968b21e4e2ec151ba7c4affc4f13fe33330f03d35a7694b1e83b9a4b96

SHA512
8f7d8ab7101323aeaa4323290f5f226d3fc7072311589171d545c14171631dd91bccac80791bda62a66879d95d8554940a611c1ef23bf699a4f7d2ce7f3bfb74

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\651c8e0bbf331156743397142e81250994b5975b1fd1b6cf400bb0a610936098.exe

Filesize
223KB

MD5
9c13eac3b71ecbab06fd1526f453d738

SHA1
08bf76f7839b75277a905bc0fb40d5bbee36e00c

SHA256
1cf252968b21e4e2ec151ba7c4affc4f13fe33330f03d35a7694b1e83b9a4b96

SHA512
8f7d8ab7101323aeaa4323290f5f226d3fc7072311589171d545c14171631dd91bccac80791bda62a66879d95d8554940a611c1ef23bf699a4f7d2ce7f3bfb74

Download Submit
\Users\Admin\AppData\Roaming\Uscu\ahwa.exe

Filesize
223KB

MD5
4fa0c77e95c38e6fb137cc006e00f66e

SHA1
2e3698ca6a928174ee92583034cc82099d0a98e4

SHA256
ccfb6f0910f6f1f9dfbf62b7f35858ce556596659d21d8b2a58c7ec4d0966f42

SHA512
2910e113ab0dfe5af3430b9d9117dde6c26012f57c748663fec886eb1e1ca1d20ffa9c894360f8e924bd262df6018e64c2020aaaa5cd0fb532bd7dd028cd96bb

Download Submit
\Users\Admin\AppData\Roaming\Uscu\ahwa.exe

Filesize
223KB

MD5
4fa0c77e95c38e6fb137cc006e00f66e

SHA1
2e3698ca6a928174ee92583034cc82099d0a98e4

SHA256
ccfb6f0910f6f1f9dfbf62b7f35858ce556596659d21d8b2a58c7ec4d0966f42

SHA512
2910e113ab0dfe5af3430b9d9117dde6c26012f57c748663fec886eb1e1ca1d20ffa9c894360f8e924bd262df6018e64c2020aaaa5cd0fb532bd7dd028cd96bb

Download Submit
memory/652-61-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/652-60-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/652-246-0x00000000025C0000-0x00000000025FB000-memory.dmp

Filesize
236KB

Download
memory/652-361-0x00000000025C0000-0x00000000025FB000-memory.dmp

Filesize
236KB

Download
memory/652-57-0x0000000000000000-mapping.dmp

Download
memory/1128-76-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1128-75-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1128-71-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1128-73-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1128-74-0x0000000001E10000-0x0000000001E4B000-memory.dmp

Filesize
236KB

Download
memory/1180-81-0x0000000001AC0000-0x0000000001AFB000-memory.dmp

Filesize
236KB

Download
memory/1180-79-0x0000000001AC0000-0x0000000001AFB000-memory.dmp

Filesize
236KB

Download
memory/1180-82-0x0000000001AC0000-0x0000000001AFB000-memory.dmp

Filesize
236KB

Download
memory/1180-80-0x0000000001AC0000-0x0000000001AFB000-memory.dmp

Filesize
236KB

Download
memory/1252-86-0x0000000002AE0000-0x0000000002B1B000-memory.dmp

Filesize
236KB

Download
memory/1252-87-0x0000000002AE0000-0x0000000002B1B000-memory.dmp

Filesize
236KB

Download
memory/1252-88-0x0000000002AE0000-0x0000000002B1B000-memory.dmp

Filesize
236KB

Download
memory/1252-85-0x0000000002AE0000-0x0000000002B1B000-memory.dmp

Filesize
236KB

Download
memory/1972-489-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1972-362-0x0000000000069BF5-mapping.dmp

Download
memory/2012-66-0x0000000000000000-mapping.dmp

Download
memory/2028-92-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-102-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-104-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-106-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-100-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-108-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-110-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-112-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-114-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-116-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-118-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-120-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-124-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-122-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-126-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-130-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-132-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-128-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-99-0x0000000002560000-0x00000000031AA000-memory.dmp

Filesize
12.3MB

Download
memory/2028-97-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-95-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-353-0x0000000002560000-0x00000000031AA000-memory.dmp

Filesize
12.3MB

Download
memory/2028-93-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-94-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-91-0x0000000002A20000-0x0000000002A5B000-memory.dmp

Filesize
236KB

Download
memory/2028-54-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download