neshta | a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6

Analysis

max time kernel
103s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
Size

324KB
MD5

ca3f0d81cee00a61795e68e2b97a8c80
SHA1

f0a028f8ee13afd73e480f9155b32ea55aea8fac
SHA256

a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6
SHA512

38996cf3b2f658bba712799fa5684e99b4bc5bdf1e82a170e65cf1ff9d0005da84698d6cf9d328fe3ad5f355fa6c74c1bdd0cc52c9b42b1a1e43b10e1549450f
SSDEEP

6144:k9oo5yvLuXiP/v+97vx7o18Ydquy+ozj1dlZ2:vo5yvLuyf+9bxuqt+oX1dlQ

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 27 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{18F12~1\MicrosoftEdgeUpdateSetup_X86_1.3.167.21.exe	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 3 IoCs

Processes:

a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exesvchost.comserv13.exe

pid process

1804 a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
4456 svchost.com
3868 serv13.exe

pid	process
1804	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
4456	svchost.com
3868	serv13.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exea236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

svchost.coma236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com

Drops file in Windows directory 3 IoCs

Processes:

svchost.coma236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry class 2 IoCs

Processes:

a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exea236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dw20.exe

description pid process

Token: SeBackupPrivilege 5052 dw20.exe
Token: SeBackupPrivilege 5052 dw20.exe

description	pid	process
Token: SeBackupPrivilege	5052	dw20.exe
Token: SeBackupPrivilege	5052	dw20.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exea236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exesvchost.comserv13.exe

description	pid	process	target process
PID 1300 wrote to memory of 1804	1300	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
PID 1300 wrote to memory of 1804	1300	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
PID 1300 wrote to memory of 1804	1300	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
PID 1804 wrote to memory of 4456	1804	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe	svchost.com
PID 1804 wrote to memory of 4456	1804	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe	svchost.com
PID 1804 wrote to memory of 4456	1804	a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe	svchost.com
PID 4456 wrote to memory of 3868	4456	svchost.com	serv13.exe
PID 4456 wrote to memory of 3868	4456	svchost.com	serv13.exe
PID 3868 wrote to memory of 5052	3868	serv13.exe	dw20.exe
PID 3868 wrote to memory of 5052	3868	serv13.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
"C:\Users\Admin\AppData\Local\Temp\a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\3582-490\a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\EXTRAC~1\serv13.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4456

C:\EXTRAC~1\serv13.exe
C:\EXTRAC~1\serv13.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 744
5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\EXTRAC~1\serv13.exe
Filesize
265KB

MD5
67bf8a0fb94878ee424e273fefd1a763

SHA1
60e1827dac2627b5cd49dacaa7c7b10306dcb196

SHA256
4804aa47f864baed0545163cc54c4418246892e43cbf7fe787fb6b8889ed0674

SHA512
b5c66efb4172994e220c9a62937833f79407df9278d7d0f1454dbeb498796c2456862232bc308556d6e9e48280133289c6b78c28ad73920eae4bd59e8811fe5e

Download Submit
C:\Extracted\serv13.exe
Filesize
265KB

MD5
67bf8a0fb94878ee424e273fefd1a763

SHA1
60e1827dac2627b5cd49dacaa7c7b10306dcb196

SHA256
4804aa47f864baed0545163cc54c4418246892e43cbf7fe787fb6b8889ed0674

SHA512
b5c66efb4172994e220c9a62937833f79407df9278d7d0f1454dbeb498796c2456862232bc308556d6e9e48280133289c6b78c28ad73920eae4bd59e8811fe5e

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
127KB

MD5
02c064bea2cf9da44904c9a1ecb61c48

SHA1
75b874030dc2300f6663ba70e3bb5b4475e4b89c

SHA256
3ed504ee3804fdd067bf02599ae9d41ef0f795f9f6f5ae1038e25578d0230f0a

SHA512
fb8aa2bba96efa28fd56ccf5bb0d2505c13d4b98740ad3f5c1b8b0ea131ebd4f9e9822d259e9c96ec595c5843f908f12b51880a8d4c366721591e89c830a5ce8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
224KB

MD5
f89440ce4ff5c1295c1799339a530303

SHA1
b3cdd4410c3b3315713a24cd547664a220e7ec0d

SHA256
5fac23766b327e314ff6ccfefa8c5db37aafa58814277a0e16ab1b78dad3beb2

SHA512
8b8c3181b591e40d6e3802a65dd47ffd00e4d59950ec29433db5f484e71ef3a91fd22d5e372b08f4f3ab27a6cc7045e11e181fb112b27d8daa6d260a506d5beb

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
982KB

MD5
4e8c731e3175d6d2f5085fe55974e1db

SHA1
74604823bd1e5af86d66e4986c1203f2bf26e657

SHA256
8a8d0905d868bc8b3bbd3545de42b459b3b517bb874365f911ff05ae71f90325

SHA512
a058948f7a82ca4c14ea41527c66918e7737776f7af65b00888f3c39de416397821861ba4e77cdb8a738bc0136462d1256bc6447f0d105d929831a2b47c87485

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
Filesize
138KB

MD5
950000c930454e0c30644f13ed60e9c3

SHA1
5f6b06e8a02e1390e7499722b277135b4950723d

SHA256
09786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2

SHA512
22e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
Filesize
178KB

MD5
22913149a9d766c415c21e613e4e1d1b

SHA1
36b33b1ab48615ebe7bd25472d50ba3de56a21c6

SHA256
495ac0a638059cb60b2eebf3ac5e8fd17d5fbc7424195308f19e2ffeac3e0ced

SHA512
d9e5396bb24e3ad7ba31b45e8e1bfeb74c32895ab3af6544715c5db04da0442fafd82b06c49a920d964cf0a8fac7a58ccef4a173f1a5879c6733748edc180b14

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
Filesize
445KB

MD5
018f65edabf8cad566cacd35da90eed7

SHA1
dda69ad75ec00e3fefffc39542a9b7f0fd21e942

SHA256
746119286fec5a58b16c606ec17652b3ccac611a898321c379be48e6d3be0252

SHA512
33a13b220a102826ed3e80af54965b2bf0cbe2e74c361520129363f354e0cfca905d4a56c33421b2cd9ecb0e4b21e399278c1abcaf3916c2b499c254ae8c18af

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
Filesize
231KB

MD5
2a226fd810c5ce7b825ff7982bc22a0b

SHA1
58be5cb790336a8e751e91b1702a87fc0521a1d8

SHA256
af9e01dab96c2a54e2751a0d703cc55fdcc5ac00c40f0be2e13fd85c09b66132

SHA512
f122ce37b07871b88e322b0ca2e42f3170704d4165167d6d7b02883da9d2be5d2d62bdbd9f7e18d1c0c5e60e9e707a3b64ddb99150c99028333818dfa769deeb

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE
Filesize
328KB

MD5
326e71e4d53af74356aa91a7eeb0a828

SHA1
04f7d565d9c98715aec62d485453415330f20db5

SHA256
177018bcdd23f7566b1927581e9510b68418d58f84cc06e56e67395ed989447f

SHA512
39bab63a0e2caad9778bec8bf6ea6134c8e588f7ba2f4a9ec99280cf817dd39a8a7ef492418e285b7615ff7b383394d20a5d804c64268add53f85007bde4f8f7

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE
Filesize
245KB

MD5
96b3fbc44c00f95b27c464e2fff1989a

SHA1
0386b80c2df9ffd4ed722f3fc5d296d7ac54dd44

SHA256
499d822a22570d25050d8fdb3b98b2fe3d2d1b8926b8cbd17178ebc105fe3e05

SHA512
ae7e35f0762679548be5998f8f9da8c91f83885ae0eecfb9e6194a67f56b7f58f3fdf3bc53d2f5c716c544cf8dff5694e7d5fd1dc934e28b96704d5bfc3cbf8e

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE
Filesize
212KB

MD5
98aca4946e1005f28128ddcf101e255a

SHA1
4e32bf3ca6ab3b6fb7982efde8f6a9dbde55978c

SHA256
35ef4063e0de7d7341217591a448d28295d85e223a2697a04fd33e5c8bec623a

SHA512
547ec9fe3fbe187e52d5443d3d86205a453f148b213f2b3c314c8f714b2219c9e5d234b0af1b52c7dba1e01181b0e74d31773a9d48ce3c9f12caab416191d98b

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{18F12~1\MicrosoftEdgeUpdateSetup_X86_1.3.167.21.exe
Filesize
1.6MB

MD5
6aaa6614c082621e8374c6469b82b710

SHA1
1e177556825352f497dc73d48451061075dd22bc

SHA256
aa62653c4ced5860567239f4dd59fabfb528ce59b3cd8d7ba0e3e450d8e2d66c

SHA512
e3e4e180b6f2ebebbe637f51d3bfeca8d3c7ecae4b93f990d4099d1f0fa8777324042761b1acc22740c837deff599d4da157a8ff59a7f8c94c8596df695b29dd

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe
Filesize
3.2MB

MD5
9ccbe770dfaf7fc66e535bcfb1e25f43

SHA1
9a57d13a14c8feebaa72592b05f56c41acba7cc5

SHA256
e1f7231e4f4bc2260a93cd1b69237786a8b6764f4637397fdb676681e66bcda9

SHA512
80a2e09bb8dcf7f9cad749cf71acebb93f6efd3913e3cedfccef7b9a59008dd55d55a237dcb7bfbab86f47ef6f3e0165e0a7987b378f536e68ec91a613f24e7b

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
536KB

MD5
8e7b72380cc9ee9bf35c0de5fde4ab3a

SHA1
c19151c331ab274bbf5f6792ca707eb8a7017dba

SHA256
d82ca304cf64be3922b12111c962e09a6ddb2b8477e25b6c3f0400eddc38c80b

SHA512
acff1c08f9c8443d0b0589f5a7d7cab532462788406feba64825fdd2addf5b6cc8e773713e93c98991afbc7e364233fe7cf0659574cebe2200f8f7f818bfe927

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
536KB

MD5
31685b921fcd439185495e2bdc8c5ebf

SHA1
5d171dd1f2fc2ad55bde2e3c16a58abff07ae636

SHA256
4798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c

SHA512
04a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
536KB

MD5
8e7b72380cc9ee9bf35c0de5fde4ab3a

SHA1
c19151c331ab274bbf5f6792ca707eb8a7017dba

SHA256
d82ca304cf64be3922b12111c962e09a6ddb2b8477e25b6c3f0400eddc38c80b

SHA512
acff1c08f9c8443d0b0589f5a7d7cab532462788406feba64825fdd2addf5b6cc8e773713e93c98991afbc7e364233fe7cf0659574cebe2200f8f7f818bfe927

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE
Filesize
2.4MB

MD5
1319acbba64ecbcd5e3f16fc3acd693c

SHA1
f5d64f97194846bd0564d20ee290d35dd3df40b0

SHA256
8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce

SHA512
abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe
Filesize
1.7MB

MD5
e25ffbddf046809226ea738583fd29f9

SHA1
ebda60d1f49cd1c2559d6c0f0a760dac7f38ce98

SHA256
91630469f3d18ebf1be43522b6dcb6547c3b67ab7a17a246e1b2122628dfcd80

SHA512
4417cba81c77c2a60e448b69dc615574ed4862fd97af014ebdf3ffbdde8a6c9bc32aca4881f59037f908a67b674d9e49b817fc1e6865e8f08e374f36baade101

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
Filesize
283KB

MD5
dd75e1d04784d4eda6ff4263358e6533

SHA1
f746f575b19fa736f940a711894d8c5a3941e2e6

SHA256
40309700c520a96bcd3f862e854c9b53d07278d5e81dd573c63e04dfc89996a2

SHA512
791481b0c5d88df7575e24aabb5df737c824ad25cfd8ce030ef464bc0007fc8deb7a61280474e7b9dce3bba5c78dd2616a7f8a40aa454eef213ee8ff79fd5b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a236fbecb1293dead7d2b90320d10e1438aed4d805a1dcd61cf77b35075b61d6.exe
Filesize
283KB

MD5
dd75e1d04784d4eda6ff4263358e6533

SHA1
f746f575b19fa736f940a711894d8c5a3941e2e6

SHA256
40309700c520a96bcd3f862e854c9b53d07278d5e81dd573c63e04dfc89996a2

SHA512
791481b0c5d88df7575e24aabb5df737c824ad25cfd8ce030ef464bc0007fc8deb7a61280474e7b9dce3bba5c78dd2616a7f8a40aa454eef213ee8ff79fd5b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
Filesize
8B

MD5
b11a5fab786a2e26ec8d8f5679acc20f

SHA1
79c3276593d81072642c1860ec3b89389963c518

SHA256
af2025774ba960f4347f89433be00f0c74efcae70e402a9d8acd55ca2a099ae4

SHA512
464abb228484b4d990a6400a2f0d0edecd728ff4b26475d68da7b21cbab94d26e63eee439994774340b6a4d9be21e273aae40bc9bf397c86348538f6d2735415

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
9908eb536a8c2b4fd06bd7f11f56ecae

SHA1
aa235bdb0fe91394e0565c08e7263729651ff2c6

SHA256
319ac61bfc18dccc63274f905df072b477088701b4c778c0cd8c0135c3e6193e

SHA512
8432789eaaf1761eccdbb50a183044e4b20e68e636be243765c4546ce6261048bb94e9f61b7803710175b7950c3c5463ad02f2f531dd88ed08aa356265eb8d30

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
9908eb536a8c2b4fd06bd7f11f56ecae

SHA1
aa235bdb0fe91394e0565c08e7263729651ff2c6

SHA256
319ac61bfc18dccc63274f905df072b477088701b4c778c0cd8c0135c3e6193e

SHA512
8432789eaaf1761eccdbb50a183044e4b20e68e636be243765c4546ce6261048bb94e9f61b7803710175b7950c3c5463ad02f2f531dd88ed08aa356265eb8d30

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/1804-132-0x0000000000000000-mapping.dmp

Download
memory/3868-139-0x0000000000000000-mapping.dmp

Download
memory/4456-135-0x0000000000000000-mapping.dmp

Download
memory/5052-141-0x0000000000000000-mapping.dmp

Download