Analysis
-
max time kernel
174s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 08:04
Static task
static1
Behavioral task
behavioral1
Sample
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
Resource
win10v2004-20220812-en
General
-
Target
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
-
Size
1.1MB
-
MD5
1c9527702352f60e80a4f0c1ea782aad
-
SHA1
58614fdde61180bbd8f9cfa0961552f9fcf07b96
-
SHA256
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb
-
SHA512
3b52a17f6c9dd5e69fcd8aaed1f004731c38a990e46f65c598c463f3fd5a507a940dcc4845acee9c3f7a97c1a076c707bd153b61613f2069a1306d0fa11e3d68
-
SSDEEP
24576:O5ffRG/U+LJjcBS5h3bXU+8VBkPS1BdRdb+mevJqDkrTLX8LvE8Z9Pw9:g8/U+LISf3bt8APS3IxLXAvEs9Pw9
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 2 IoCs
Processes:
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exeupdate.exepid process 2732 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe 4832 update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exedescription ioc process File opened (read-only) \??\l: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\o: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\p: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\s: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\w: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\g: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\j: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\u: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\v: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\x: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\e: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\k: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\q: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\t: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\z: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\i: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\n: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\f: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\h: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\m: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\r: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\y: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\a: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened (read-only) \??\b: 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exedescription ioc process File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe -
Drops file in Windows directory 1 IoCs
Processes:
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exedescription ioc process File opened for modification C:\Windows\svchost.com 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
update.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier update.exe -
Modifies registry class 1 IoCs
Processes:
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exedescription pid process target process PID 2200 wrote to memory of 2732 2200 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe PID 2200 wrote to memory of 2732 2200 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe PID 2200 wrote to memory of 2732 2200 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe PID 2732 wrote to memory of 4832 2732 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe update.exe PID 2732 wrote to memory of 4832 2732 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe update.exe PID 2732 wrote to memory of 4832 2732 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe"C:\Users\Admin\AppData\Local\Temp\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\7f92dc80ae4\update\update.exec:\7f92dc80ae4\update\update.exe3⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:4832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\7f92dc80ae4\update\update.exeFilesize
273KB
MD5913e1622f99f34bf0ea509a6263cad70
SHA12676197585b4a192374a9e8f5dc4b4f0ade8e848
SHA2564885e589817ee15a723b3146d93e6ba2791944b5de02f31f5d9a10a62afee518
SHA512d70be96ca1090c70800a4494407daff89ad037d008ef5a18c3267d4f790233a0eda864307b87f6f56a05c55529b03174e74a54a1ce0e7b9630abd169d4d45485
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exeFilesize
1.1MB
MD5f6e17839f613103775997c9d793bb01f
SHA12ccd29707f60a769f8771766e984aa18682d652a
SHA256355f1e3ba6fa2264818d257ff34011f1460ed5a9e273e5ec027308b4a2d2e639
SHA5126c838d158230606c3654b2a35ca7cb3f1d7ca39d6791b09217586b692f0b73f63a418f54c7d310a65386f345159e40addb34edd50469acfc91a3514ae8b14668
-
C:\Users\Admin\AppData\Local\Temp\3582-490\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exeFilesize
1.1MB
MD5f6e17839f613103775997c9d793bb01f
SHA12ccd29707f60a769f8771766e984aa18682d652a
SHA256355f1e3ba6fa2264818d257ff34011f1460ed5a9e273e5ec027308b4a2d2e639
SHA5126c838d158230606c3654b2a35ca7cb3f1d7ca39d6791b09217586b692f0b73f63a418f54c7d310a65386f345159e40addb34edd50469acfc91a3514ae8b14668
-
\??\c:\7f92dc80ae4\update\update.exeFilesize
273KB
MD5913e1622f99f34bf0ea509a6263cad70
SHA12676197585b4a192374a9e8f5dc4b4f0ade8e848
SHA2564885e589817ee15a723b3146d93e6ba2791944b5de02f31f5d9a10a62afee518
SHA512d70be96ca1090c70800a4494407daff89ad037d008ef5a18c3267d4f790233a0eda864307b87f6f56a05c55529b03174e74a54a1ce0e7b9630abd169d4d45485
-
\??\c:\7f92dc80ae4\update\update.infFilesize
6KB
MD5a1e961d84ffbb5a80503dccdbd64a5d1
SHA1e55d291ca0f12967c3d8cc035a6c49b88bc89e98
SHA256ad4332420a486a41e257eea63f6dff0b52ce593b103dad05bf6f16397fe2503d
SHA51270409278e78c73ef442791e41f06e621710c51458a903de75f958f77f0283b065f24532b9bb4a1fb5270e7ac06e58093c1c517b25de4d176e060283ea1b3a99d
-
memory/2732-132-0x0000000000000000-mapping.dmp
-
memory/4832-135-0x0000000000000000-mapping.dmp