neshta | 9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17

Analysis

max time kernel
81s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Size

286KB
MD5

a1ef5994415011741f255876abdc1274
SHA1

810212f961045c847dbe211f842fe66376542d0a
SHA256

9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17
SHA512

9992759c6283c46a81c3f5ceb1b44388b4d3eb8ceb1d3a2552aee62c6c29cb2c7d4113344d2f28562a63eb7a4d287e8585532b3cacc1b55921221a71bd6aefd3
SSDEEP

6144:byH7xOc6H5c6HcT66vlmrYWZ8B726xfLq0XLoUePSeqBlJusyH7xOc6H5c6HcT6I:banWZclq0XbePSra+ePSK

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 5 IoCs

Processes:

svchost.exe9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exesvchost.exe9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exesvchost.exe

pid	process
1752	svchost.exe
960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
1308	svchost.exe
1720	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
1760	svchost.exe

Loads dropped DLL 7 IoCs

Processes:

svchost.exe9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

pid	process
1752	svchost.exe
1752	svchost.exe
960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

Drops file in Windows directory 3 IoCs

Processes:

9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

description	ioc	process
File created	C:\Windows\svchost.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File opened for modification	C:\Windows\svchost.com	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
File created	C:\Windows\svchost.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exesvchost.exe9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe

description	pid	process	target process
PID 916 wrote to memory of 1752	916	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	svchost.exe
PID 916 wrote to memory of 1752	916	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	svchost.exe
PID 916 wrote to memory of 1752	916	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	svchost.exe
PID 916 wrote to memory of 1752	916	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	svchost.exe
PID 1752 wrote to memory of 960	1752	svchost.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
PID 1752 wrote to memory of 960	1752	svchost.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
PID 1752 wrote to memory of 960	1752	svchost.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
PID 1752 wrote to memory of 960	1752	svchost.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
PID 960 wrote to memory of 1720	960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
PID 960 wrote to memory of 1720	960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
PID 960 wrote to memory of 1720	960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
PID 960 wrote to memory of 1720	960	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
PID 1720 wrote to memory of 1760	1720	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	svchost.exe
PID 1720 wrote to memory of 1760	1720	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	svchost.exe
PID 1720 wrote to memory of 1760	1720	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	svchost.exe
PID 1720 wrote to memory of 1760	1720	9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
"C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
"C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe"
5⤵
- Executes dropped EXE
PID:1760

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:1308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
Filesize
894KB

MD5
b4080f9d2127dd804d4fda06b99645fa

SHA1
c4fa3b77430e94f9cf4d88179b783c7fbb9370a1

SHA256
8be516c69636c929b05a8bd553708fe226a3853d3e19849df1587bb732be1b69

SHA512
99428827a70cbfcee36a1255f62e77c5ba85c5736a56417d634297565281121928579c14b1d4abf1702be7c208c47277033bc9c1ec5fabb137e7671fd7ad4144

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Filesize
210KB

MD5
52fb8a7cabc51e581a1856d13837ec10

SHA1
a5781121a57f838ce5e0864585d7649b30aa4dc5

SHA256
c0c120236f6e9344dd49284b7b7849ad8ead9918d683d6fd55896a9491cf7c74

SHA512
523fc8f020254bae1ed407228821c4a7d62b12a5b5e42f583a76e09fad53b52df0fbc4244ab5c111e0af42e969ea76b1f2e7b7c300484101a6576112d903b6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Filesize
210KB

MD5
52fb8a7cabc51e581a1856d13837ec10

SHA1
a5781121a57f838ce5e0864585d7649b30aa4dc5

SHA256
c0c120236f6e9344dd49284b7b7849ad8ead9918d683d6fd55896a9491cf7c74

SHA512
523fc8f020254bae1ed407228821c4a7d62b12a5b5e42f583a76e09fad53b52df0fbc4244ab5c111e0af42e969ea76b1f2e7b7c300484101a6576112d903b6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Filesize
251KB

MD5
7a96a74c14af7f295da07f8bb9959d1f

SHA1
943c0fb97807ee90cda3f298bf978b5026151403

SHA256
a51763c664b34d67281c24c1a56f2cf4dc727e90a6826d506ae96bf88f7f3bf9

SHA512
6968b454d2a4978e95fae715614167443f420fcecaacbcde378e41f619adac98ddff8d8708413e190221be5bb585a13c46d36bd8ab214772c6f428fa5aadeae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Filesize
251KB

MD5
7a96a74c14af7f295da07f8bb9959d1f

SHA1
943c0fb97807ee90cda3f298bf978b5026151403

SHA256
a51763c664b34d67281c24c1a56f2cf4dc727e90a6826d506ae96bf88f7f3bf9

SHA512
6968b454d2a4978e95fae715614167443f420fcecaacbcde378e41f619adac98ddff8d8708413e190221be5bb585a13c46d36bd8ab214772c6f428fa5aadeae2

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Filesize
210KB

MD5
52fb8a7cabc51e581a1856d13837ec10

SHA1
a5781121a57f838ce5e0864585d7649b30aa4dc5

SHA256
c0c120236f6e9344dd49284b7b7849ad8ead9918d683d6fd55896a9491cf7c74

SHA512
523fc8f020254bae1ed407228821c4a7d62b12a5b5e42f583a76e09fad53b52df0fbc4244ab5c111e0af42e969ea76b1f2e7b7c300484101a6576112d903b6ba

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Filesize
210KB

MD5
52fb8a7cabc51e581a1856d13837ec10

SHA1
a5781121a57f838ce5e0864585d7649b30aa4dc5

SHA256
c0c120236f6e9344dd49284b7b7849ad8ead9918d683d6fd55896a9491cf7c74

SHA512
523fc8f020254bae1ed407228821c4a7d62b12a5b5e42f583a76e09fad53b52df0fbc4244ab5c111e0af42e969ea76b1f2e7b7c300484101a6576112d903b6ba

Download Submit
\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Filesize
251KB

MD5
7a96a74c14af7f295da07f8bb9959d1f

SHA1
943c0fb97807ee90cda3f298bf978b5026151403

SHA256
a51763c664b34d67281c24c1a56f2cf4dc727e90a6826d506ae96bf88f7f3bf9

SHA512
6968b454d2a4978e95fae715614167443f420fcecaacbcde378e41f619adac98ddff8d8708413e190221be5bb585a13c46d36bd8ab214772c6f428fa5aadeae2

Download Submit
\Users\Admin\AppData\Local\Temp\9960c74d88fa39eaea3e74a284e5086f58709ab0eccbde42b8c1002da8f3ea17.exe
Filesize
251KB

MD5
7a96a74c14af7f295da07f8bb9959d1f

SHA1
943c0fb97807ee90cda3f298bf978b5026151403

SHA256
a51763c664b34d67281c24c1a56f2cf4dc727e90a6826d506ae96bf88f7f3bf9

SHA512
6968b454d2a4978e95fae715614167443f420fcecaacbcde378e41f619adac98ddff8d8708413e190221be5bb585a13c46d36bd8ab214772c6f428fa5aadeae2

Download Submit
memory/960-59-0x0000000000000000-mapping.dmp

Download
memory/960-61-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1720-66-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000000000000-mapping.dmp

Download
memory/1760-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads