neshta | 2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b

Analysis

max time kernel
108s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
Size

412KB
MD5

086f75f505adfc0e604c0e74a94a7ada
SHA1

6344e3f3e88e357b8e6ac32de0b0e85596140902
SHA256

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b
SHA512

4dc6450b7460b501020ad20100b07c8b5935414c40b6780c8aa54f866a8f3204dd2d3eec36721435f542cf247740b8233cfdf03b32406d7ccbab020c94e0561e
SSDEEP

3072:sr85C+RkqTBMwaCrISdz42P3blJUQdvZaBXe7g7S:k9ET6waCrI/2PxxuXekS

Score

10^/10

neshta njrat persistence spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

Processes:

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

pid	process
1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
1896	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

Loads dropped DLL 4 IoCs

Processes:

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exedw20.exe

pid	process
908	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
612	dw20.exe
908	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

description	pid	process	target process
PID 1092 set thread context of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

Drops file in Program Files directory 64 IoCs

Processes:

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

Drops file in Windows directory 1 IoCs

Processes:

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

description ioc process

File opened for modification C:\Windows\svchost.com 2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

Modifies registry class 1 IoCs

Processes:

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.execsc.exe2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe

description	pid	process	target process
PID 908 wrote to memory of 1092	908	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 908 wrote to memory of 1092	908	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 908 wrote to memory of 1092	908	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 908 wrote to memory of 1092	908	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 2024	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	csc.exe
PID 1092 wrote to memory of 2024	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	csc.exe
PID 1092 wrote to memory of 2024	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	csc.exe
PID 1092 wrote to memory of 2024	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	csc.exe
PID 2024 wrote to memory of 2000	2024	csc.exe	cvtres.exe
PID 2024 wrote to memory of 2000	2024	csc.exe	cvtres.exe
PID 2024 wrote to memory of 2000	2024	csc.exe	cvtres.exe
PID 2024 wrote to memory of 2000	2024	csc.exe	cvtres.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1092 wrote to memory of 1896	1092	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
PID 1896 wrote to memory of 612	1896	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	dw20.exe
PID 1896 wrote to memory of 612	1896	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	dw20.exe
PID 1896 wrote to memory of 612	1896	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	dw20.exe
PID 1896 wrote to memory of 612	1896	2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
"C:\Users\Admin\AppData\Local\Temp\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lv__fp4n.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBD67.tmp"
4⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 428
4⤵
- Loads dropped DLL
PID:612

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
Filesize
371KB

MD5
48501a49acd98763d41045a2b8bd1155

SHA1
f3d4d70382f8af148cc8e97e8731ae4f196222fb

SHA256
d46fc67c400665c1bdf4003b41f495bc64a605775b1a739e8fc716af239bd1ec

SHA512
e5014aed848a7938fb5a5f10402852fcd7e5be03345daad7a6dd6efe06beceb90c8448edd81f464c8f0491968f482fce61be619bdb48926aabdb2c66b6315a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
Filesize
371KB

MD5
48501a49acd98763d41045a2b8bd1155

SHA1
f3d4d70382f8af148cc8e97e8731ae4f196222fb

SHA256
d46fc67c400665c1bdf4003b41f495bc64a605775b1a739e8fc716af239bd1ec

SHA512
e5014aed848a7938fb5a5f10402852fcd7e5be03345daad7a6dd6efe06beceb90c8448edd81f464c8f0491968f482fce61be619bdb48926aabdb2c66b6315a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
Filesize
371KB

MD5
48501a49acd98763d41045a2b8bd1155

SHA1
f3d4d70382f8af148cc8e97e8731ae4f196222fb

SHA256
d46fc67c400665c1bdf4003b41f495bc64a605775b1a739e8fc716af239bd1ec

SHA512
e5014aed848a7938fb5a5f10402852fcd7e5be03345daad7a6dd6efe06beceb90c8448edd81f464c8f0491968f482fce61be619bdb48926aabdb2c66b6315a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD68.tmp
Filesize
1KB

MD5
f0108d9c3eab89fb5fa55d3d885c86c4

SHA1
9977832292a244de22fe65f48f5c60025f4927b1

SHA256
60210632a13579ec111a7ede053423b8dc9a3be183947aece01463bc4de475c3

SHA512
1eae339b88ca4408cb2cb35d85b4ee4db297ce250997592a5085b6a04c3865f01850b357a8c6a5fb90642bcc495eb7c28fd887f3ca4947a2794a2edb9a59f5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lv__fp4n.dll
Filesize
164KB

MD5
0154854b11dfbc5c03319ff53ffb199b

SHA1
75521cbe1306d5729e1d41f6c8e9b436c9a9aae7

SHA256
8607f504ff304acfc31848912efaa32fa3e4a758993c179d09b869343925d51e

SHA512
2030386e907691c49783214a9cc63afbd89d24616bd8305285adfe3a1c0bc948cbf5bc0ea684dd010d18a123df99fdf400cf011a2f668aa924d68b3149a802c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCBD67.tmp
Filesize
652B

MD5
6c4d8cd3c2173c0707b69b713fe95064

SHA1
13b1d41d1c5ed4203ec4a18e8cfa8404f31f3f85

SHA256
490ad6ce4fd2b56cbde695eda118abde153b1c7dcdea9c9a7cf29c9ab34dd29d

SHA512
2911349b5c32ea930854edbf27b9371706173fc8f893e2da000c03969730070c720d4ef81c358c27413e40f2e2505b5dc13cbe2c8a9e7cbef10e6f7d53e68a90

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lv__fp4n.cmdline
Filesize
196B

MD5
b4c753ed38634caa12e09fd8dc96f045

SHA1
58a1d5e2e20cdfe2b0aaadcc3e34238c16f924d4

SHA256
9745a6d6d9983e626ba2e07ddeb696630469cae5101ccf62691223b3f28d7bb5

SHA512
55a4d6bf4b3a26b1cdf904d071984dbe1e83d94df8b28567585ac867c25d1ffe71e36379c5c7f53409a80525c4ae039cba1ed7113a150999e79ad3303ee6a928

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tmpBA7A.tmp.txt
Filesize
74KB

MD5
4e26ce8ccf9443df30e0fdf076e0d3ec

SHA1
218d1ccef293c1b439e2d3d3f5cf855936bf1879

SHA256
e3606f778cc51f59cc072f8083acfadd15782d340fdde6adf37edcb3a4573684

SHA512
829b1e808888892cb15647d608f6ec4f208186d9424f6eb36185d8466c6df52873760fac6ca087741c6a2caf256a97dface85f317ffc5bd8c6791ec27c80d35f

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
Filesize
371KB

MD5
48501a49acd98763d41045a2b8bd1155

SHA1
f3d4d70382f8af148cc8e97e8731ae4f196222fb

SHA256
d46fc67c400665c1bdf4003b41f495bc64a605775b1a739e8fc716af239bd1ec

SHA512
e5014aed848a7938fb5a5f10402852fcd7e5be03345daad7a6dd6efe06beceb90c8448edd81f464c8f0491968f482fce61be619bdb48926aabdb2c66b6315a12

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
Filesize
371KB

MD5
48501a49acd98763d41045a2b8bd1155

SHA1
f3d4d70382f8af148cc8e97e8731ae4f196222fb

SHA256
d46fc67c400665c1bdf4003b41f495bc64a605775b1a739e8fc716af239bd1ec

SHA512
e5014aed848a7938fb5a5f10402852fcd7e5be03345daad7a6dd6efe06beceb90c8448edd81f464c8f0491968f482fce61be619bdb48926aabdb2c66b6315a12

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2703e007984b6f13f2c2a0547ff6084e2aa88ca4aff89233bc45fc288b4dac4b.exe
Filesize
371KB

MD5
48501a49acd98763d41045a2b8bd1155

SHA1
f3d4d70382f8af148cc8e97e8731ae4f196222fb

SHA256
d46fc67c400665c1bdf4003b41f495bc64a605775b1a739e8fc716af239bd1ec

SHA512
e5014aed848a7938fb5a5f10402852fcd7e5be03345daad7a6dd6efe06beceb90c8448edd81f464c8f0491968f482fce61be619bdb48926aabdb2c66b6315a12

Download Submit
memory/612-86-0x0000000000000000-mapping.dmp

Download
memory/908-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1092-63-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/1092-56-0x0000000000000000-mapping.dmp

Download
memory/1092-85-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-78-0x000000000040C90E-mapping.dmp

Download
memory/1896-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-89-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-91-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-64-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads