neshta | 2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c

General

Target

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
Size

235KB
MD5

988e1645954b11aa0f2f1525debfb8f5
SHA1

7178cbe334ed2b609ca42c5b539258f7c41a9234
SHA256

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c
SHA512

098b7c07ca8276b552a4263e209347b916f55bc03662c7e2a370ad433dbcd0541589c2ea6cccc191874b4e49fc9ffc46a44f02deb95a4badfccbc887ce555134
SSDEEP

3072:zr8WDrCy6Qhd2e4vNRyOZIu440livAzoUZmebfG5R:Pu7QhdJOZIur9ocUZA5R

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

pid process

1780 2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

pid	process
1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Loads dropped DLL 2 IoCs

Processes:

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

pid	process
1360	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
1360	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Drops file in Windows directory 1 IoCs

Processes:

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

description ioc process

File opened for modification C:\Windows\svchost.com 2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043a032ffe7c7c740824c435fb9808d6d0000000002000000000010660000000100002000000036909f40e448ded6800f6013cfa596514a54a8fb0e6237a6412f350956127685000000000e8000000002000020000000893414e8e03576ea61582d060b780bf5cebf402df867b4a3dad86df1b16e38f690000000ead3d2e7db2c11dba0959bf52e7815cfbb44d5be8675aaa9d52ba28a954ce9fb25bcc600bbfeba18aa6adef0035e01853c09cc7b9445ddcf8ddb19ba8d70a664276a72c8c7e4bf37622a8de198d2c36f67a2ea6c145d1d4a5478ba713c46fd27c94d90334408e7a79ffc745b804fbd4f43aa48c1c987e1cfedd63a514168da30b0da03acabd76e27149360f43c73b008400000006f2b726d85fab5c08c27159dbe9536dcab0c6c4c8804bb0e917eb950a6b55e53d0ce79ee148c1b62e9c0fa61bdcf3fc5a7a0bfa515af2cfdc4340bf17db1a07d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC6EBCB1-6EA0-11ED-8DB1-7A3897842414} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376352191"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC6E95A1-6EA0-11ED-8DB1-7A3897842414} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40245ea8ad02d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043a032ffe7c7c740824c435fb9808d6d000000000200000000001066000000010000200000008ab8c8b7a3b34e84752041c1ca512350ad0078bcdd9a9f7794a6a1cfc66b83af000000000e80000000020000200000007d997199bfff362659cddaa1e6ceef551a1324f3513624f4bfa520c18e2f32f720000000158f167af90463d31a19c8c15243448907cbf634378a8a5e3dbd06d3f1d4dd6c400000008d9d23546f1f6d990f53f19baa537e3ada235d469d90995064c46facfefd38fc0e78ce09c19fc40f3857a7dc2d904f06e52c6d59b8dd5b7ab36c53b8a9c0f533	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 1 IoCs

Processes:

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

description	pid	process
Token: SeDebugPrivilege	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
Token: SeDebugPrivilege	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1548 iexplore.exe
1672 iexplore.exe

pid	process
1548	iexplore.exe
1672	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1672	iexplore.exe
1672	iexplore.exe
1548	iexplore.exe
1548	iexplore.exe
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
868	IEXPLORE.EXE
868	IEXPLORE.EXE
868	IEXPLORE.EXE
868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1360 wrote to memory of 1780	1360	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
PID 1360 wrote to memory of 1780	1360	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
PID 1360 wrote to memory of 1780	1360	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
PID 1360 wrote to memory of 1780	1360	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
PID 1780 wrote to memory of 1548	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	iexplore.exe
PID 1780 wrote to memory of 1548	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	iexplore.exe
PID 1780 wrote to memory of 1548	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	iexplore.exe
PID 1780 wrote to memory of 1548	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	iexplore.exe
PID 1780 wrote to memory of 1672	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	iexplore.exe
PID 1780 wrote to memory of 1672	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	iexplore.exe
PID 1780 wrote to memory of 1672	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	iexplore.exe
PID 1780 wrote to memory of 1672	1780	2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe	iexplore.exe
PID 1672 wrote to memory of 868	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 868	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 868	1672	iexplore.exe	IEXPLORE.EXE
PID 1672 wrote to memory of 868	1672	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 1352	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 1352	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 1352	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 1352	1548	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
"C:\Users\Admin\AppData\Local\Temp\2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://red-hack.ru/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://red-hack.ru/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1672 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BC6E95A1-6EA0-11ED-8DB1-7A3897842414}.dat
Filesize
3KB

MD5
08404a019397b1877995f696555e6ce1

SHA1
4023dec95f9fa14bd58f2bed0ba72a2d0a181013

SHA256
388047ef889aded1979749e2c349b090f777fca0f3dd25e0f548a4948e36e27f

SHA512
8281578f27d0e94d9847ffcf3affde399ed9cf939d052c81a9f028c004f7eab09df712ee7a179a7c67a51735576ff51f930ab82918cc5fef420ef22eee3cd4e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BC6EBCB1-6EA0-11ED-8DB1-7A3897842414}.dat
Filesize
5KB

MD5
0e40cf11af50028f3f18609df99e6ca5

SHA1
1a00af1f05447dd94fa047f45a0fa94200b379e2

SHA256
d18499986d8883b03867d4c203ee6271b322dc88d37db13bc656a1bd192e6163

SHA512
7cd3f2f8a17068b919462af0c56a7ca3dbee22b74c03e637810a97e6cbf126bcd30ea227b9e5a697722f5ca8a143786c2bce722cdfa41a31fae6885dbfbb9434

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
Filesize
194KB

MD5
4a7ff7873efffda0c1f5fdd64a63c9f6

SHA1
51f8640068b2294de42499d458083f7ce4640658

SHA256
39f574d6c714ed5550e8a50c44176d0e4eed23eb8a853169273cbaf4fd9f7879

SHA512
a62ada2ba7504c8dee6f6325c9320e896d05ab4f7e34aa9698c6612dfbbf56d7b6176bebf2936f34d83f9bd5922f79c81c3f60a8c0ad410b70285aa802a750f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
Filesize
194KB

MD5
4a7ff7873efffda0c1f5fdd64a63c9f6

SHA1
51f8640068b2294de42499d458083f7ce4640658

SHA256
39f574d6c714ed5550e8a50c44176d0e4eed23eb8a853169273cbaf4fd9f7879

SHA512
a62ada2ba7504c8dee6f6325c9320e896d05ab4f7e34aa9698c6612dfbbf56d7b6176bebf2936f34d83f9bd5922f79c81c3f60a8c0ad410b70285aa802a750f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SJXBPSDC.txt
Filesize
608B

MD5
c0816fbbea5d510755a5e8be0fa7c35b

SHA1
724c48aa441e49bc3cc20579af93da78490ce196

SHA256
bc2591721f4774704bdd25c81e8ab2eb7ccaf8c7239ec1bd8b09bacc30404dee

SHA512
566987247978a4b8c0bc3fb6727d167eceba30cc51a7caa79836e9d4512b758af24ad9ca4e003178c1be9cda6993fde8a17cf074f8a953a431797b9e6836b798

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2b8ae2c48f10a3d75543f612c40da8d89fd48633877e54d242636e41ad788f3c.exe
Filesize
194KB

MD5
4a7ff7873efffda0c1f5fdd64a63c9f6

SHA1
51f8640068b2294de42499d458083f7ce4640658

SHA256
39f574d6c714ed5550e8a50c44176d0e4eed23eb8a853169273cbaf4fd9f7879

SHA512
a62ada2ba7504c8dee6f6325c9320e896d05ab4f7e34aa9698c6612dfbbf56d7b6176bebf2936f34d83f9bd5922f79c81c3f60a8c0ad410b70285aa802a750f1

Download Submit
memory/1360-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1780-56-0x0000000000000000-mapping.dmp

Download
memory/1780-60-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-64-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads