neshta | 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb

General

Target

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
Size

1.1MB
MD5

1c9527702352f60e80a4f0c1ea782aad
SHA1

58614fdde61180bbd8f9cfa0961552f9fcf07b96
SHA256

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb
SHA512

3b52a17f6c9dd5e69fcd8aaed1f004731c38a990e46f65c598c463f3fd5a507a940dcc4845acee9c3f7a97c1a076c707bd153b61613f2069a1306d0fa11e3d68
SSDEEP

24576:O5ffRG/U+LJjcBS5h3bXU+8VBkPS1BdRdb+mevJqDkrTLX8LvE8Z9Pw9:g8/U+LISf3bt8APS3IxLXAvEs9Pw9

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exeupdate.exe

pid process

2732 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
4832 update.exe

pid	process
2732	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
4832	update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

description	ioc	process
File opened (read-only)	\??\l:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\o:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\p:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\s:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\w:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\g:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\j:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\u:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\v:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\x:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\e:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\k:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\q:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\t:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\z:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\i:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\n:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\f:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\h:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\m:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\r:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\y:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\a:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened (read-only)	\??\b:	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

Drops file in Program Files directory 64 IoCs

Processes:

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

Drops file in Windows directory 1 IoCs

Processes:

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

description ioc process

File opened for modification C:\Windows\svchost.com 7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

update.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier update.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	update.exe

Modifies registry class 1 IoCs

Processes:

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe

description	pid	process	target process
PID 2200 wrote to memory of 2732	2200	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
PID 2200 wrote to memory of 2732	2200	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
PID 2200 wrote to memory of 2732	2200	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
PID 2732 wrote to memory of 4832	2732	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe	update.exe
PID 2732 wrote to memory of 4832	2732	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe	update.exe
PID 2732 wrote to memory of 4832	2732	7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
"C:\Users\Admin\AppData\Local\Temp\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\3582-490\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2732

\??\c:\7f92dc80ae4\update\update.exe
c:\7f92dc80ae4\update\update.exe
3⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7f92dc80ae4\update\update.exe
Filesize
273KB

MD5
913e1622f99f34bf0ea509a6263cad70

SHA1
2676197585b4a192374a9e8f5dc4b4f0ade8e848

SHA256
4885e589817ee15a723b3146d93e6ba2791944b5de02f31f5d9a10a62afee518

SHA512
d70be96ca1090c70800a4494407daff89ad037d008ef5a18c3267d4f790233a0eda864307b87f6f56a05c55529b03174e74a54a1ce0e7b9630abd169d4d45485

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
Filesize
1.1MB

MD5
f6e17839f613103775997c9d793bb01f

SHA1
2ccd29707f60a769f8771766e984aa18682d652a

SHA256
355f1e3ba6fa2264818d257ff34011f1460ed5a9e273e5ec027308b4a2d2e639

SHA512
6c838d158230606c3654b2a35ca7cb3f1d7ca39d6791b09217586b692f0b73f63a418f54c7d310a65386f345159e40addb34edd50469acfc91a3514ae8b14668

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7c60706fa150dbc340edbf0a134fab06507ed0abe61cdbd3fe7e00d55b4516fb.exe
Filesize
1.1MB

MD5
f6e17839f613103775997c9d793bb01f

SHA1
2ccd29707f60a769f8771766e984aa18682d652a

SHA256
355f1e3ba6fa2264818d257ff34011f1460ed5a9e273e5ec027308b4a2d2e639

SHA512
6c838d158230606c3654b2a35ca7cb3f1d7ca39d6791b09217586b692f0b73f63a418f54c7d310a65386f345159e40addb34edd50469acfc91a3514ae8b14668

Download Submit
\??\c:\7f92dc80ae4\update\update.exe
Filesize
273KB

MD5
913e1622f99f34bf0ea509a6263cad70

SHA1
2676197585b4a192374a9e8f5dc4b4f0ade8e848

SHA256
4885e589817ee15a723b3146d93e6ba2791944b5de02f31f5d9a10a62afee518

SHA512
d70be96ca1090c70800a4494407daff89ad037d008ef5a18c3267d4f790233a0eda864307b87f6f56a05c55529b03174e74a54a1ce0e7b9630abd169d4d45485

Download Submit
\??\c:\7f92dc80ae4\update\update.inf
Filesize
6KB

MD5
a1e961d84ffbb5a80503dccdbd64a5d1

SHA1
e55d291ca0f12967c3d8cc035a6c49b88bc89e98

SHA256
ad4332420a486a41e257eea63f6dff0b52ce593b103dad05bf6f16397fe2503d

SHA512
70409278e78c73ef442791e41f06e621710c51458a903de75f958f77f0283b065f24532b9bb4a1fb5270e7ac06e58093c1c517b25de4d176e060283ea1b3a99d

Download Submit
memory/2732-132-0x0000000000000000-mapping.dmp

Download
memory/4832-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads