neshta | 7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689

General

Target

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
Size

1.6MB
MD5

086843be3574888c82076e12756a2d4d
SHA1

39df0a6268554f87b6a0937fec8ad116c0cc70d1
SHA256

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689
SHA512

a8e19d6dcc277fec6350f967676798142497f7b44ca1f26296fc50e070f96191848021a912bd073c56a560b55ca963230ee6a50d1efb82fc0ef311b6bf7bd765
SSDEEP

49152:1Vg5tQ7aOcbf5tIs5LkIO3k9dCwh69R3jfm:7g56CbksLkLkrCq6z3jfm

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

description	pid	process	target process
PID 5072 set thread context of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

Drops file in Program Files directory 64 IoCs

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\msedge.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

Drops file in Windows directory 1 IoCs

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

description ioc process

File opened for modification C:\Windows\svchost.com 7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

Modifies registry class 1 IoCs

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

pid	process
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

pid	process
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

description	pid	process	target process
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
PID 5072 wrote to memory of 1472	5072	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe	7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe

C:\Users\Admin\AppData\Local\Temp\7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
"C:\Users\Admin\AppData\Local\Temp\7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe
  "C:\Users\Admin\AppData\Local\Temp\7fb0346eb8ce7d98a79084eeff1ddcd115ecfd1150a26bb52b39989b16267689.exe"
  2⤵
  - Modifies system executable filetype association
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-132-0x0000000000000000-mapping.dmp

Download
memory/1472-133-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1472-134-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1472-135-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1472-136-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1472-137-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads