neshta | 67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe
Size

5.8MB
MD5

92d102b09864103c6cad122c76f1fea6
SHA1

cd28994ab158fd357aeb71d0b33ed2312d4194ce
SHA256

67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee
SHA512

4e117e464521c41d2020cb565f157b4b2b266e60dffcb5d73371b9770044c14b5df184a7752455e2836ac9dc7aad4e0f6d5ad31416238e205c3f8cddb5e4ed31
SSDEEP

98304:5lXMjBFx2i0ro9+bkcC79cUpRgoC2BVZQUEnpaAV4f6PE4OmiuO3vh:5lXMjBFAi0ro0bkcEmxcv/+paAV4faLK

Score

10^/10

neshta evasion persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 26 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\LocalPPiXazGYJv.exe	family_neshta
C:\Users\Admin\AppData\LocalPPiXazGYJv.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\cookie_exporter.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exe	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

LocalPPiXazGYJv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	LocalPPiXazGYJv.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 5 IoCs

Processes:

LocalPPiXazGYJv.exeLocalM_GXZGkpRk.exeLocalPPiXazGYJv.exesvchost.comyahoo.exe

pid process

3036 LocalPPiXazGYJv.exe
2296 LocalM_GXZGkpRk.exe
5016 LocalPPiXazGYJv.exe
4648 svchost.com
1800 yahoo.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2896 netsh.exe

pid	process
3036	LocalPPiXazGYJv.exe
2296	LocalM_GXZGkpRk.exe
5016	LocalPPiXazGYJv.exe
4648	svchost.com
1800	yahoo.exe

pid	process
2896	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exeLocalPPiXazGYJv.exeLocalPPiXazGYJv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	LocalPPiXazGYJv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	LocalPPiXazGYJv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yahoo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8ef6e5fbcf93c20a9c240921a52d8776 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yahoo.exe\" .."	yahoo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8ef6e5fbcf93c20a9c240921a52d8776 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yahoo.exe\" .."	yahoo.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comLocalPPiXazGYJv.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	LocalPPiXazGYJv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com

Drops file in Windows directory 4 IoCs

Processes:

dw20.exeLocalPPiXazGYJv.exesvchost.com

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe
File opened for modification	C:\Windows\svchost.com	LocalPPiXazGYJv.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry class 2 IoCs

Processes:

LocalPPiXazGYJv.exeLocalPPiXazGYJv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	LocalPPiXazGYJv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	LocalPPiXazGYJv.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

yahoo.exe

pid	process
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe
1800	yahoo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

dw20.exeyahoo.exe

description	pid	process
Token: SeRestorePrivilege	1420	dw20.exe
Token: SeBackupPrivilege	1420	dw20.exe
Token: SeBackupPrivilege	1420	dw20.exe
Token: SeBackupPrivilege	1420	dw20.exe
Token: SeBackupPrivilege	1420	dw20.exe
Token: SeDebugPrivilege	1800	yahoo.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exeLocalM_GXZGkpRk.exeLocalPPiXazGYJv.exeLocalPPiXazGYJv.exesvchost.comyahoo.exe

description	pid	process	target process
PID 904 wrote to memory of 3036	904	67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe	LocalPPiXazGYJv.exe
PID 904 wrote to memory of 3036	904	67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe	LocalPPiXazGYJv.exe
PID 904 wrote to memory of 3036	904	67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe	LocalPPiXazGYJv.exe
PID 904 wrote to memory of 2296	904	67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe	LocalM_GXZGkpRk.exe
PID 904 wrote to memory of 2296	904	67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe	LocalM_GXZGkpRk.exe
PID 904 wrote to memory of 2296	904	67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe	LocalM_GXZGkpRk.exe
PID 2296 wrote to memory of 1420	2296	LocalM_GXZGkpRk.exe	dw20.exe
PID 2296 wrote to memory of 1420	2296	LocalM_GXZGkpRk.exe	dw20.exe
PID 2296 wrote to memory of 1420	2296	LocalM_GXZGkpRk.exe	dw20.exe
PID 3036 wrote to memory of 5016	3036	LocalPPiXazGYJv.exe	LocalPPiXazGYJv.exe
PID 3036 wrote to memory of 5016	3036	LocalPPiXazGYJv.exe	LocalPPiXazGYJv.exe
PID 3036 wrote to memory of 5016	3036	LocalPPiXazGYJv.exe	LocalPPiXazGYJv.exe
PID 5016 wrote to memory of 4648	5016	LocalPPiXazGYJv.exe	svchost.com
PID 5016 wrote to memory of 4648	5016	LocalPPiXazGYJv.exe	svchost.com
PID 5016 wrote to memory of 4648	5016	LocalPPiXazGYJv.exe	svchost.com
PID 4648 wrote to memory of 1800	4648	svchost.com	yahoo.exe
PID 4648 wrote to memory of 1800	4648	svchost.com	yahoo.exe
PID 4648 wrote to memory of 1800	4648	svchost.com	yahoo.exe
PID 1800 wrote to memory of 2896	1800	yahoo.exe	netsh.exe
PID 1800 wrote to memory of 2896	1800	yahoo.exe	netsh.exe
PID 1800 wrote to memory of 2896	1800	yahoo.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe
"C:\Users\Admin\AppData\Local\Temp\67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\LocalPPiXazGYJv.exe
"C:\Users\Admin\AppData\LocalPPiXazGYJv.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\3582-490\LocalPPiXazGYJv.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\LocalPPiXazGYJv.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\yahoo.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\yahoo.exe
C:\Users\Admin\AppData\Local\Temp\yahoo.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\yahoo.exe" "yahoo.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:2896

C:\Users\Admin\AppData\LocalM_GXZGkpRk.exe
"C:\Users\Admin\AppData\LocalM_GXZGkpRk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 844
3⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE
Filesize
1.6MB

MD5
ca08e5fa7f142d36e4e16d1b9ca35ea1

SHA1
8d2ab4723b21ac8045bcbc78341777f3d343f140

SHA256
807bc9b3e8689b8e7019ecf93ac475636a2f51c3dc678cf7483923c7fe9f50d4

SHA512
d5e6519397a9eeef0861b32911da6bd20853e608a9c7f4651ca9c6fe69f79dc016010e558934cf96dd968ca49098553831ac2296ff7dc83878f3d7370db148d3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exe
Filesize
537KB

MD5
365a79a3103889da0d1034eef90e150b

SHA1
9c6d6600212ceb9b712fea1d99d85e7ef7f748eb

SHA256
49593d97b8367cddb5e341e367c851573c076fa052639e08d933e5203b77b5ef

SHA512
08ad848319600e122f9de12d103104ea155be17205171669cd305e3c9d9ac500a4dc10938b1c094b2705a13b4aa2b67344a59635ed7cedc95e52e9eba9371684

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exe
Filesize
3.2MB

MD5
fe1b69272105afc35c59fdde851a0e73

SHA1
7407f32ccd3d444aac532dfa2dee59d6d38fb91a

SHA256
f68ee8f47c69284ceabde249d8f9406f35f085353a299a8707a24c6b34b775c6

SHA512
92fc046442048f67e0a5612f3d63e9b986d7803469737c226825415e91a9b2fdebd02bd951d082806cc8944e422c79ef29ffa4653a6364f4c1f5681c7ba043a3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\cookie_exporter.exe
Filesize
156KB

MD5
5ad8dd7a663f101ffeddfcd6bae2f9cf

SHA1
67fabad5399c2e46191c1132e0874a6cc2b208f8

SHA256
6a4a49328946be26ca31632af3e5441ba2b8247a51671de188c86821f1eb890b

SHA512
1db427eee862578fa4ce1e40071df6e5b6db3f67546d15a497a4714ee4b1de6dd8d7aba73681dc8e9f23f135f5ca71dcd8dfd9abaf1620ab578e5ef63e36968a

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exe
Filesize
1.7MB

MD5
2a52fd23291f3caca91b559c3dcd637f

SHA1
c2cef19fcb10d45e5e1c437a7e4246d500ed09a3

SHA256
2a228d131fd39876865c31dadd000193978618637ca12408e42f4060aa2f466c

SHA512
f189c9f0b68d6d6842113e048356565569f67e7e63c6d4563913c99038f0a0bb54b750f37c098a50936eb115d751265314abde27d5014c6c73011c031f82b248

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exe
Filesize
1.1MB

MD5
abd40544970e354010ac043696fcc6f2

SHA1
207ca492a30f97bed856fdaa318bd1ded2c8f191

SHA256
58b3fc8e0f6d38e27f8f5b7984e70ec6132fddd5e05169d4026c1b3a9e43d5e4

SHA512
e8a491a8ff31b0854eb0cf69f95ef56bb9ffa0e113113201ef650bd5e02b9fd3fd7aca072d697de007333ea8a254fa4f2944db50b8ea4ff19b851241b3c93890

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exe
Filesize
3.7MB

MD5
e1545cbdd197de221913344565f16c76

SHA1
3672b92456462879827edb7041bab80812ff8edd

SHA256
6ecc928d1a67f292103a6731630a942cf8b9bcb52ab6a1d47ed4f9202751b110

SHA512
a8186842890a851a9760d821d42490620e4e9f7906908ac63547913f9411502f45847155d844824e646068529b4112c7acd07ee1840294a347e07d293c0309ac

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exe
Filesize
1.1MB

MD5
5423852b85f3cd0628f3a242e1e9eebe

SHA1
1264f6ee997a1876062952dbb7ceae06c2732792

SHA256
385fd4beecebd8c3702413373be358994e1af9481c88148613026f737a855f93

SHA512
4fb16f3c8198e77437b609e05831421a2d9a5597f83ac22819787082f52ffd1a5a626ff99c137a99ad8b6eca40bb2111a347e67e0351be4d8235a26517475300

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exe
Filesize
1.8MB

MD5
e9db236130389516b93f40c919c2619b

SHA1
2722717f25122719010bdb0b49bcbb6f9a9d69ac

SHA256
3d3c7ff298fa5d2914470fc32fcb92a82d1ce8924933221895bcbab49d29eab8

SHA512
5bc6fbd9f97754bf4ec44ee7101d86657a35af6ee3a1b0b79bba4fbffffbfbf3b5836bffe9dd7db495c5688c8b7b291e52b0a6c89ea1f5e41e79507e49f30598

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exe
Filesize
3.2MB

MD5
816bf809bdab7e95c6f16b38f619a527

SHA1
5bc139e11d077e8fa88394fb610f63f629f3b86d

SHA256
75367284d50434c966d4126241682829523a0baa1c03163b9383433182433a75

SHA512
1e7fbdbfcfb805691ca402acb7da16222da3f6d923db3cc5fe36cb7e677159f5a4b3ab8397d4d34ed82dc389220721bd40d37e35ecc57411133a1601fca1555c

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exe
Filesize
1.3MB

MD5
2a46785ab8b2aad2bf6630d12a17a6ce

SHA1
e9704d280ea3589c3b4c1d808a5ff0efe83bc330

SHA256
1bb2b789bf7890e583958a213a20a20c920972ecac9e1874c04b49d28f69f224

SHA512
5efb0fdfbadca4698879249f5a2d07846012394c50695f663c18f469e887124819537bb71b179d427886e1325bc201cd28bd499fb75d2bdff01dfdf8a13db94e

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exe
Filesize
1.1MB

MD5
25689bf879a14f124ea71db500ddb522

SHA1
36dc53850fef561a5ecbb3acdaaaa8aa7868c14c

SHA256
2bd534244e50c34d36957c30cb26077ef7e91635eb93df15d1b16c867b125c3f

SHA512
fc182276d7187bbb941c171dc70900bdbf81591f83559dd3c0be2f2467ca66c853a5e5cc6affff5870cd0fbd6dcd0db69bb8f55068085eb39fb61b3cfdcd0ed3

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
Filesize
494KB

MD5
05bdfd8a3128ab14d96818f43ebe9c0e

SHA1
495cbbd020391e05d11c52aa23bdae7b89532eb7

SHA256
7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb

SHA512
8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
714KB

MD5
015caa1588f703bd73bc7cfe9386ffe4

SHA1
747bec0876a67c0242ff657d47d7c383254ea857

SHA256
e5c6463292e3013ef2eb211dad0dfa716671241affbd8bed5802a94f03950141

SHA512
1fb3b2fa422d635c71a8e7865714516b7de1c32e6286f8b975be71b17a9186fcac78852e9467b4751b4eab69cb6af30140772858a758596596d09d767d170aab

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
715KB

MD5
06366e48936df8d5556435c9820e9990

SHA1
0e3ed1da26a0c96f549720684e87352f1b58ef45

SHA256
cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612

SHA512
bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
536KB

MD5
31685b921fcd439185495e2bdc8c5ebf

SHA1
5d171dd1f2fc2ad55bde2e3c16a58abff07ae636

SHA256
4798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c

SHA512
04a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
525KB

MD5
f6636e7fd493f59a5511f08894bba153

SHA1
3618061817fdf1155acc0c99b7639b30e3b6936c

SHA256
61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

SHA512
bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
536KB

MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\Admin\AppData\LocalM_GXZGkpRk.exe
Filesize
911KB

MD5
f896fd2230ec80959e01c4d3ede8cd70

SHA1
02a15f21a6f9664d1c7923228d24051bcf6afa0f

SHA256
1876a63391a12016b8b5ae4fb7cc67d0f1ab163f51c673a79ee98e01fe01055f

SHA512
9bbe552ecf9f33b41656068513516469c6c068b99fb76babdfc00f0252bdf13c7d3a9dfdffcb46c18f73fa3b771f3b887fa053008b74b2e38a6d08e6f8bfe7b6

Download Submit
C:\Users\Admin\AppData\LocalM_GXZGkpRk.exe
Filesize
911KB

MD5
f896fd2230ec80959e01c4d3ede8cd70

SHA1
02a15f21a6f9664d1c7923228d24051bcf6afa0f

SHA256
1876a63391a12016b8b5ae4fb7cc67d0f1ab163f51c673a79ee98e01fe01055f

SHA512
9bbe552ecf9f33b41656068513516469c6c068b99fb76babdfc00f0252bdf13c7d3a9dfdffcb46c18f73fa3b771f3b887fa053008b74b2e38a6d08e6f8bfe7b6

Download Submit
C:\Users\Admin\AppData\LocalPPiXazGYJv.exe
Filesize
4.6MB

MD5
2e9e324e8f76e5616ddd8c4f6253bb45

SHA1
bc09dfce3d2ff1cdd74b4118470a3a0a539f1f88

SHA256
cfe4342e63ddae099d29699e295ff9ade3b1847ddb264d75b0ef478b08ecca81

SHA512
2b40b71ab0e37e7aaccd5d34fb084967abbad83221c6fc82d9e225b8013b9496578a38537b23ca999dcb200b9eca74add13b3cfc2d92cfcb09716172d321d6af

Download Submit
C:\Users\Admin\AppData\LocalPPiXazGYJv.exe
Filesize
4.6MB

MD5
2e9e324e8f76e5616ddd8c4f6253bb45

SHA1
bc09dfce3d2ff1cdd74b4118470a3a0a539f1f88

SHA256
cfe4342e63ddae099d29699e295ff9ade3b1847ddb264d75b0ef478b08ecca81

SHA512
2b40b71ab0e37e7aaccd5d34fb084967abbad83221c6fc82d9e225b8013b9496578a38537b23ca999dcb200b9eca74add13b3cfc2d92cfcb09716172d321d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\LocalPPiXazGYJv.exe
Filesize
4.6MB

MD5
5080bd240def418ca25ade93a1cb8f0c

SHA1
28ba6662bfad38ddadd2c9c91f421acdd1631465

SHA256
c4137bd5ece1919ded21a6489dab7beae37f8233f53e85b194d6c27d8bbbfc4e

SHA512
8398819044cc429b5e06466c03d23b30b1d3bd23827c05b2450ac4f2a7ee30e4c9024348096206d26cb3509ea725666fe4e67ac92f8cddeac12fc9a78ed20959

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\LocalPPiXazGYJv.exe
Filesize
4.6MB

MD5
5080bd240def418ca25ade93a1cb8f0c

SHA1
28ba6662bfad38ddadd2c9c91f421acdd1631465

SHA256
c4137bd5ece1919ded21a6489dab7beae37f8233f53e85b194d6c27d8bbbfc4e

SHA512
8398819044cc429b5e06466c03d23b30b1d3bd23827c05b2450ac4f2a7ee30e4c9024348096206d26cb3509ea725666fe4e67ac92f8cddeac12fc9a78ed20959

Download Submit
C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
4.6MB

MD5
5080bd240def418ca25ade93a1cb8f0c

SHA1
28ba6662bfad38ddadd2c9c91f421acdd1631465

SHA256
c4137bd5ece1919ded21a6489dab7beae37f8233f53e85b194d6c27d8bbbfc4e

SHA512
8398819044cc429b5e06466c03d23b30b1d3bd23827c05b2450ac4f2a7ee30e4c9024348096206d26cb3509ea725666fe4e67ac92f8cddeac12fc9a78ed20959

Download Submit
C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
4.6MB

MD5
5080bd240def418ca25ade93a1cb8f0c

SHA1
28ba6662bfad38ddadd2c9c91f421acdd1631465

SHA256
c4137bd5ece1919ded21a6489dab7beae37f8233f53e85b194d6c27d8bbbfc4e

SHA512
8398819044cc429b5e06466c03d23b30b1d3bd23827c05b2450ac4f2a7ee30e4c9024348096206d26cb3509ea725666fe4e67ac92f8cddeac12fc9a78ed20959

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/904-132-0x00007FF9F2B30000-0x00007FF9F3566000-memory.dmp

Filesize
10.2MB

Download
memory/1420-140-0x0000000000000000-mapping.dmp

Download
memory/1800-156-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/1800-150-0x0000000000000000-mapping.dmp

Download
memory/1800-153-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2296-139-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2296-145-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/2296-135-0x0000000000000000-mapping.dmp

Download
memory/2896-154-0x0000000000000000-mapping.dmp

Download
memory/3036-133-0x0000000000000000-mapping.dmp

Download
memory/4648-146-0x0000000000000000-mapping.dmp

Download
memory/5016-152-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/5016-141-0x0000000000000000-mapping.dmp

Download
memory/5016-144-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download