neshta | 0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
Size

601KB
MD5

679e100f630ae3a79e1750bc15498ad5
SHA1

aeaead2657d304f8f7ec278da9e202764889dcdf
SHA256

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11
SHA512

b567c93b679aeb3b578a7c861294cead35c685ef0df8ecab7d50d17db3615d81008520ad26748720d494c291ea5c8f2d839f0fbe667001af46ea0e2d0a82f13c
SSDEEP

12288:H9OczTX1g+ACjgJ5Q+ON9R4qeACjdXE1cVKB/5EJz6L/tIoTGgsV:dO2TlgLCI5LON9R4qXCd0mYESKoTGgsV

Score

10^/10

neshta persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
Churbanka55555999

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Nirsoft 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-61-0x0000000000300000-0x0000000000362000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe	Nirsoft
behavioral1/memory/1152-76-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1152-77-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe	Nirsoft
behavioral1/memory/1752-90-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral1/memory/2036-91-0x0000000000690000-0x00000000006A9000-memory.dmp	Nirsoft
behavioral1/memory/2036-94-0x0000000000690000-0x00000000006A9000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exeWebBrowserPassView1.exeWebBrowserPassView2.exeWebBrowserPassView3.exeWebBrowserPassView4.exe

pid	process
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
1664	WebBrowserPassView1.exe
1152	WebBrowserPassView2.exe
1644	WebBrowserPassView3.exe
1752	WebBrowserPassView4.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe	upx
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe	upx
\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe	upx
behavioral1/memory/1152-76-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1152-77-0x0000000000400000-0x000000000041C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe	upx
\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe	upx
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe	upx
behavioral1/memory/1752-90-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2036-91-0x0000000000690000-0x00000000006A9000-memory.dmp	upx

Loads dropped DLL 10 IoCs

Processes:

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

pid	process
1280	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
1280	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Drops file in Windows directory 1 IoCs

Processes:

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

description ioc process

File opened for modification C:\Windows\svchost.com 0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Modifies registry class 1 IoCs

Processes:

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WebBrowserPassView2.exe0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

description	pid	process
Token: SeDebugPrivilege	1152	WebBrowserPassView2.exe
Token: SeRestorePrivilege	1152	WebBrowserPassView2.exe
Token: SeBackupPrivilege	1152	WebBrowserPassView2.exe
Token: SeDebugPrivilege	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

description	pid	process	target process
PID 1280 wrote to memory of 2036	1280	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
PID 1280 wrote to memory of 2036	1280	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
PID 1280 wrote to memory of 2036	1280	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
PID 1280 wrote to memory of 2036	1280	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
PID 2036 wrote to memory of 1664	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView1.exe
PID 2036 wrote to memory of 1664	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView1.exe
PID 2036 wrote to memory of 1664	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView1.exe
PID 2036 wrote to memory of 1664	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView1.exe
PID 2036 wrote to memory of 1152	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView2.exe
PID 2036 wrote to memory of 1152	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView2.exe
PID 2036 wrote to memory of 1152	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView2.exe
PID 2036 wrote to memory of 1152	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView2.exe
PID 2036 wrote to memory of 1644	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView3.exe
PID 2036 wrote to memory of 1644	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView3.exe
PID 2036 wrote to memory of 1644	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView3.exe
PID 2036 wrote to memory of 1644	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView3.exe
PID 2036 wrote to memory of 1752	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView4.exe
PID 2036 wrote to memory of 1752	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView4.exe
PID 2036 wrote to memory of 1752	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView4.exe
PID 2036 wrote to memory of 1752	2036	0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe	WebBrowserPassView4.exe

C:\Users\Admin\AppData\Local\Temp\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
"C:\Users\Admin\AppData\Local\Temp\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt
3⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.txt
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt
3⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe /stext C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt
3⤵
- Executes dropped EXE
PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Filesize
560KB

MD5
e95ff676f76ae2b026a26621e70f8038

SHA1
c7e3d234f2c90ba00e69ed4ef6f7c74fa5b02fac

SHA256
61f7acc6d2255e2d90768c9dd4be2e014511727024792b9c8e0f161c2f6cba30

SHA512
f3416af401bed063a267c1997aee9e55a1f4603db4e2dfa53db20e90e4e76b21dc3180a0ac8d2f5a1441ba11341b286d56ddfa6ff8fa04a61130a1ded0f19e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Filesize
560KB

MD5
e95ff676f76ae2b026a26621e70f8038

SHA1
c7e3d234f2c90ba00e69ed4ef6f7c74fa5b02fac

SHA256
61f7acc6d2255e2d90768c9dd4be2e014511727024792b9c8e0f161c2f6cba30

SHA512
f3416af401bed063a267c1997aee9e55a1f4603db4e2dfa53db20e90e4e76b21dc3180a0ac8d2f5a1441ba11341b286d56ddfa6ff8fa04a61130a1ded0f19e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe

Filesize
70KB

MD5
398f515c4d202d9c9c1f884ac50bc72c

SHA1
ae86b2bb9323345a228b92fdb518e268f4a7b54d

SHA256
675692ae37f1ad32cc1c35e724331112e0701b41d3b2107457f6a2c994f38103

SHA512
f116731bac5c4e888ea45498984d81a097999cdff76d284bbb79470889726c2d765813c4b09169e02da63ce2fa7ee745dd7aeb60baae704cd3ef9ca8a55018a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe

Filesize
43KB

MD5
c861fe184e271d6e2ba958da306ba748

SHA1
b039e4d8e70261dfdf8ee521dcbc3e04348423a5

SHA256
f8a112b0d1ce4142e4d69cadfc2748c27026b491532fba18d9160f7eb48b4886

SHA512
ea127eaa149b5ff1b1f1de3891563b2e064e043f03e48ca298d3539e1f572297abd4efd951021372ba0090b8c30c06e7d144bec6d9828a5cc08a644155a8f3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe

Filesize
214KB

MD5
7b641e136f446860c48a3a870523249f

SHA1
f55465c1581b8cc1a012d3b7d8504c55e8e66e1c

SHA256
4cd6ed20baffc008b69642cd4687249fa0568c8bb8e29ce601ab6fef8a667382

SHA512
fd6f09775539e77e83927585d8a3ef230399be5bd0798f073e925113faf219225145df230fc0d232c8c6d1f0ec28936b7ac593dcb25f72796310f117811bd09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe

Filesize
39KB

MD5
8b4ae559ad7836b27ee9f8f171be8139

SHA1
c60ddcfc7b3954f4d0d515b1fdaf47c6999e50a4

SHA256
1130504f6095d2b09fb1ad39323ab9448798b41eb925539e2128160cec106609

SHA512
df13ae1aa3b481d1a819736af6dbf5fea5c930a1fe18ea0368a0d2efbe20334626dd90b42757bf8ef080f229e502c97cd6f5173738bc4967e26a04aee61c040b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\0651eb36fb416e496a4b43be732f87872d72cfa812beafa071515588c89f9c11.exe

Filesize
560KB

MD5
e95ff676f76ae2b026a26621e70f8038

SHA1
c7e3d234f2c90ba00e69ed4ef6f7c74fa5b02fac

SHA256
61f7acc6d2255e2d90768c9dd4be2e014511727024792b9c8e0f161c2f6cba30

SHA512
f3416af401bed063a267c1997aee9e55a1f4603db4e2dfa53db20e90e4e76b21dc3180a0ac8d2f5a1441ba11341b286d56ddfa6ff8fa04a61130a1ded0f19e89

Download Submit
\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe

Filesize
70KB

MD5
398f515c4d202d9c9c1f884ac50bc72c

SHA1
ae86b2bb9323345a228b92fdb518e268f4a7b54d

SHA256
675692ae37f1ad32cc1c35e724331112e0701b41d3b2107457f6a2c994f38103

SHA512
f116731bac5c4e888ea45498984d81a097999cdff76d284bbb79470889726c2d765813c4b09169e02da63ce2fa7ee745dd7aeb60baae704cd3ef9ca8a55018a0

Download Submit
\Users\Admin\AppData\Local\Temp\WebBrowserPassView1.exe

Filesize
70KB

MD5
398f515c4d202d9c9c1f884ac50bc72c

SHA1
ae86b2bb9323345a228b92fdb518e268f4a7b54d

SHA256
675692ae37f1ad32cc1c35e724331112e0701b41d3b2107457f6a2c994f38103

SHA512
f116731bac5c4e888ea45498984d81a097999cdff76d284bbb79470889726c2d765813c4b09169e02da63ce2fa7ee745dd7aeb60baae704cd3ef9ca8a55018a0

Download Submit
\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe

Filesize
43KB

MD5
c861fe184e271d6e2ba958da306ba748

SHA1
b039e4d8e70261dfdf8ee521dcbc3e04348423a5

SHA256
f8a112b0d1ce4142e4d69cadfc2748c27026b491532fba18d9160f7eb48b4886

SHA512
ea127eaa149b5ff1b1f1de3891563b2e064e043f03e48ca298d3539e1f572297abd4efd951021372ba0090b8c30c06e7d144bec6d9828a5cc08a644155a8f3ce

Download Submit
\Users\Admin\AppData\Local\Temp\WebBrowserPassView2.exe

Filesize
43KB

MD5
c861fe184e271d6e2ba958da306ba748

SHA1
b039e4d8e70261dfdf8ee521dcbc3e04348423a5

SHA256
f8a112b0d1ce4142e4d69cadfc2748c27026b491532fba18d9160f7eb48b4886

SHA512
ea127eaa149b5ff1b1f1de3891563b2e064e043f03e48ca298d3539e1f572297abd4efd951021372ba0090b8c30c06e7d144bec6d9828a5cc08a644155a8f3ce

Download Submit
\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe

Filesize
214KB

MD5
7b641e136f446860c48a3a870523249f

SHA1
f55465c1581b8cc1a012d3b7d8504c55e8e66e1c

SHA256
4cd6ed20baffc008b69642cd4687249fa0568c8bb8e29ce601ab6fef8a667382

SHA512
fd6f09775539e77e83927585d8a3ef230399be5bd0798f073e925113faf219225145df230fc0d232c8c6d1f0ec28936b7ac593dcb25f72796310f117811bd09b

Download Submit
\Users\Admin\AppData\Local\Temp\WebBrowserPassView3.exe

Filesize
214KB

MD5
7b641e136f446860c48a3a870523249f

SHA1
f55465c1581b8cc1a012d3b7d8504c55e8e66e1c

SHA256
4cd6ed20baffc008b69642cd4687249fa0568c8bb8e29ce601ab6fef8a667382

SHA512
fd6f09775539e77e83927585d8a3ef230399be5bd0798f073e925113faf219225145df230fc0d232c8c6d1f0ec28936b7ac593dcb25f72796310f117811bd09b

Download Submit
\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe

Filesize
39KB

MD5
8b4ae559ad7836b27ee9f8f171be8139

SHA1
c60ddcfc7b3954f4d0d515b1fdaf47c6999e50a4

SHA256
1130504f6095d2b09fb1ad39323ab9448798b41eb925539e2128160cec106609

SHA512
df13ae1aa3b481d1a819736af6dbf5fea5c930a1fe18ea0368a0d2efbe20334626dd90b42757bf8ef080f229e502c97cd6f5173738bc4967e26a04aee61c040b

Download Submit
\Users\Admin\AppData\Local\Temp\WebBrowserPassView4.exe

Filesize
39KB

MD5
8b4ae559ad7836b27ee9f8f171be8139

SHA1
c60ddcfc7b3954f4d0d515b1fdaf47c6999e50a4

SHA256
1130504f6095d2b09fb1ad39323ab9448798b41eb925539e2128160cec106609

SHA512
df13ae1aa3b481d1a819736af6dbf5fea5c930a1fe18ea0368a0d2efbe20334626dd90b42757bf8ef080f229e502c97cd6f5173738bc4967e26a04aee61c040b

Download Submit
memory/1152-71-0x0000000000000000-mapping.dmp

Download
memory/1152-77-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1152-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1280-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1644-80-0x0000000000000000-mapping.dmp

Download
memory/1664-65-0x0000000000000000-mapping.dmp

Download
memory/1752-86-0x0000000000000000-mapping.dmp

Download
memory/1752-90-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-61-0x0000000000300000-0x0000000000362000-memory.dmp

Filesize
392KB

Download
memory/2036-59-0x00000000009D0000-0x0000000000A64000-memory.dmp

Filesize
592KB

Download
memory/2036-75-0x0000000000690000-0x00000000006AC000-memory.dmp

Filesize
112KB

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download
memory/2036-74-0x0000000000690000-0x00000000006AC000-memory.dmp

Filesize
112KB

Download
memory/2036-91-0x0000000000690000-0x00000000006A9000-memory.dmp

Filesize
100KB

Download
memory/2036-92-0x0000000000690000-0x00000000006A9000-memory.dmp

Filesize
100KB

Download
memory/2036-93-0x0000000000690000-0x00000000006AC000-memory.dmp

Filesize
112KB

Download
memory/2036-94-0x0000000000690000-0x00000000006A9000-memory.dmp

Filesize
100KB

Download