neshta | 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a

Analysis

max time kernel
156s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
Size

226KB
MD5

26be89e7461f820c28e795f15875c400
SHA1

f2a7c70b98993aa889a7accc7fa8945238f11357
SHA256

1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a
SHA512

31793a5864b107f293f2496ec85221a39db013b917a074f8289f6cec69b8d44b0985ca8c50a0098c020ff8cbf36bc2ae1a827dfddd158592b47554c3f847d455
SSDEEP

6144:k9HbFePeusvLtNt+00ZSHgche6HR3kk0uX:8eHKBNt+xSpXx3kmX

Score

10^/10

neshta evasion persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 27 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\cookie_exporter.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exe	family_neshta
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\88B7DA~1.EXE	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 3 IoCs

Processes:

1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exesvchost.comwindows.exe

pid process

4956 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
632 svchost.com
5032 windows.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4040 netsh.exe

pid	process
4956	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
632	svchost.com
5032	windows.exe

pid	process
4040	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe

Drops startup file 2 IoCs

Processes:

windows.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88b7da58a3e62f24b08f565445b53900.exe	windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88b7da58a3e62f24b08f565445b53900.exe	windows.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

windows.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88b7da58a3e62f24b08f565445b53900 = "\"C:\\Users\\Admin\\windows.exe\" .."	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\88b7da58a3e62f24b08f565445b53900 = "\"C:\\Users\\Admin\\windows.exe\" .."	windows.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.com1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe

Drops file in Windows directory 3 IoCs

Processes:

1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

windows.exe

pid	process
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe
5032	windows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

windows.exe

description pid process

Token: SeDebugPrivilege 5032 windows.exe

description	pid	process
Token: SeDebugPrivilege	5032	windows.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exesvchost.comwindows.exe

description	pid	process	target process
PID 1556 wrote to memory of 4956	1556	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
PID 1556 wrote to memory of 4956	1556	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
PID 1556 wrote to memory of 4956	1556	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
PID 4956 wrote to memory of 632	4956	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe	svchost.com
PID 4956 wrote to memory of 632	4956	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe	svchost.com
PID 4956 wrote to memory of 632	4956	1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe	svchost.com
PID 632 wrote to memory of 5032	632	svchost.com	windows.exe
PID 632 wrote to memory of 5032	632	svchost.com	windows.exe
PID 632 wrote to memory of 5032	632	svchost.com	windows.exe
PID 5032 wrote to memory of 4040	5032	windows.exe	netsh.exe
PID 5032 wrote to memory of 4040	5032	windows.exe	netsh.exe
PID 5032 wrote to memory of 4040	5032	windows.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
"C:\Users\Admin\AppData\Local\Temp\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\3582-490\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\windows.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\windows.exe
C:\Users\Admin\windows.exe
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\windows.exe" "windows.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE
Filesize
231KB

MD5
2a226fd810c5ce7b825ff7982bc22a0b

SHA1
58be5cb790336a8e751e91b1702a87fc0521a1d8

SHA256
af9e01dab96c2a54e2751a0d703cc55fdcc5ac00c40f0be2e13fd85c09b66132

SHA512
f122ce37b07871b88e322b0ca2e42f3170704d4165167d6d7b02883da9d2be5d2d62bdbd9f7e18d1c0c5e60e9e707a3b64ddb99150c99028333818dfa769deeb

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE
Filesize
251KB

MD5
33cb4562e84c8bbbc8184b961e2e49ee

SHA1
d6549a52911eaeebcceb5bc39d71272d3b8f5111

SHA256
1f455ea6bab09377e5fdfbd5df102f79c5cbbb5fe5ce456f2fbb34f94ec848bb

SHA512
0b638a6e86816ba5d83de5fc381c85371f2f4fe0a2fdff40141859a42e255a082903e5692a49ef253265a42ec99924e5a0aa150cb7ed6cd5521f42f6c9fe27a9

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE
Filesize
179KB

MD5
6eb5faf8c8634b7286d08081e0c8837b

SHA1
e6d529c98beb26a4dcea5eb343d8e58a1a803909

SHA256
a72941f00bede95f64219f77d20acbfb3f60f783fbd0fe4dae8cbcb8edea673e

SHA512
2528b4ac550c62e6ba884670c0f60dfb8d446875e01d2d93e5cbe9c7014a556b81ae98d7c23805070f18434fb48c8ee3766267e0c3e6856c0729621cec554dd7

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exe
Filesize
537KB

MD5
365a79a3103889da0d1034eef90e150b

SHA1
9c6d6600212ceb9b712fea1d99d85e7ef7f748eb

SHA256
49593d97b8367cddb5e341e367c851573c076fa052639e08d933e5203b77b5ef

SHA512
08ad848319600e122f9de12d103104ea155be17205171669cd305e3c9d9ac500a4dc10938b1c094b2705a13b4aa2b67344a59635ed7cedc95e52e9eba9371684

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exe
Filesize
3.2MB

MD5
fe1b69272105afc35c59fdde851a0e73

SHA1
7407f32ccd3d444aac532dfa2dee59d6d38fb91a

SHA256
f68ee8f47c69284ceabde249d8f9406f35f085353a299a8707a24c6b34b775c6

SHA512
92fc046442048f67e0a5612f3d63e9b986d7803469737c226825415e91a9b2fdebd02bd951d082806cc8944e422c79ef29ffa4653a6364f4c1f5681c7ba043a3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\cookie_exporter.exe
Filesize
156KB

MD5
5ad8dd7a663f101ffeddfcd6bae2f9cf

SHA1
67fabad5399c2e46191c1132e0874a6cc2b208f8

SHA256
6a4a49328946be26ca31632af3e5441ba2b8247a51671de188c86821f1eb890b

SHA512
1db427eee862578fa4ce1e40071df6e5b6db3f67546d15a497a4714ee4b1de6dd8d7aba73681dc8e9f23f135f5ca71dcd8dfd9abaf1620ab578e5ef63e36968a

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exe
Filesize
1.7MB

MD5
2a52fd23291f3caca91b559c3dcd637f

SHA1
c2cef19fcb10d45e5e1c437a7e4246d500ed09a3

SHA256
2a228d131fd39876865c31dadd000193978618637ca12408e42f4060aa2f466c

SHA512
f189c9f0b68d6d6842113e048356565569f67e7e63c6d4563913c99038f0a0bb54b750f37c098a50936eb115d751265314abde27d5014c6c73011c031f82b248

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exe
Filesize
1.1MB

MD5
04a1f566e84e3195b2da69ad9f3cd3c6

SHA1
66cf405b03dee4e8792b140b0f01913258c39f3f

SHA256
1783558c3b30f7c09efd44b76a09d85073bbdf27bdbc46de61783b9f7a76f3d2

SHA512
61e9543b78a31235a25ebc3135334fb1ded0124df8662074ac9944ef4086e920cc1c741e89a316cf44c53106f66254c605fb53e13d850f55d7de34191f405ad5

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exe
Filesize
3.7MB

MD5
e1545cbdd197de221913344565f16c76

SHA1
3672b92456462879827edb7041bab80812ff8edd

SHA256
6ecc928d1a67f292103a6731630a942cf8b9bcb52ab6a1d47ed4f9202751b110

SHA512
a8186842890a851a9760d821d42490620e4e9f7906908ac63547913f9411502f45847155d844824e646068529b4112c7acd07ee1840294a347e07d293c0309ac

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exe
Filesize
1.1MB

MD5
5423852b85f3cd0628f3a242e1e9eebe

SHA1
1264f6ee997a1876062952dbb7ceae06c2732792

SHA256
385fd4beecebd8c3702413373be358994e1af9481c88148613026f737a855f93

SHA512
4fb16f3c8198e77437b609e05831421a2d9a5597f83ac22819787082f52ffd1a5a626ff99c137a99ad8b6eca40bb2111a347e67e0351be4d8235a26517475300

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exe
Filesize
1.8MB

MD5
e9db236130389516b93f40c919c2619b

SHA1
2722717f25122719010bdb0b49bcbb6f9a9d69ac

SHA256
3d3c7ff298fa5d2914470fc32fcb92a82d1ce8924933221895bcbab49d29eab8

SHA512
5bc6fbd9f97754bf4ec44ee7101d86657a35af6ee3a1b0b79bba4fbffffbfbf3b5836bffe9dd7db495c5688c8b7b291e52b0a6c89ea1f5e41e79507e49f30598

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exe
Filesize
3.2MB

MD5
816bf809bdab7e95c6f16b38f619a527

SHA1
5bc139e11d077e8fa88394fb610f63f629f3b86d

SHA256
75367284d50434c966d4126241682829523a0baa1c03163b9383433182433a75

SHA512
1e7fbdbfcfb805691ca402acb7da16222da3f6d923db3cc5fe36cb7e677159f5a4b3ab8397d4d34ed82dc389220721bd40d37e35ecc57411133a1601fca1555c

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exe
Filesize
1.3MB

MD5
2a46785ab8b2aad2bf6630d12a17a6ce

SHA1
e9704d280ea3589c3b4c1d808a5ff0efe83bc330

SHA256
1bb2b789bf7890e583958a213a20a20c920972ecac9e1874c04b49d28f69f224

SHA512
5efb0fdfbadca4698879249f5a2d07846012394c50695f663c18f469e887124819537bb71b179d427886e1325bc201cd28bd499fb75d2bdff01dfdf8a13db94e

Download Submit
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exe
Filesize
1.1MB

MD5
25689bf879a14f124ea71db500ddb522

SHA1
36dc53850fef561a5ecbb3acdaaaa8aa7868c14c

SHA256
2bd534244e50c34d36957c30cb26077ef7e91635eb93df15d1b16c867b125c3f

SHA512
fc182276d7187bbb941c171dc70900bdbf81591f83559dd3c0be2f2467ca66c853a5e5cc6affff5870cd0fbd6dcd0db69bb8f55068085eb39fb61b3cfdcd0ed3

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
Filesize
6.7MB

MD5
32853955255a94fcd7587ca9cbfe2b60

SHA1
c33a88184c09e89598f0cabf68ce91c8d5791521

SHA256
64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

SHA512
8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
526KB

MD5
cc5020b193486a88f373bedca78e24c8

SHA1
61744a1675ce10ddd196129b49331d517d7da884

SHA256
e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

SHA512
bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
714KB

MD5
24179b4581907abfef8a55ab41c97999

SHA1
e4de417476f43da4405f4340ebf6044f6b094337

SHA256
a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7

SHA512
6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
715KB

MD5
98cdb9e27473946387a8e70e610a4887

SHA1
d0f978cff0fc003da6621480e628a6238cbfd139

SHA256
6e07f388a7fcf695e004d7216e8efcac9ebf73715030f9cbba4ef4c5f82459f4

SHA512
3be19e9c8ddc3798e4d67b1f0a3bf4b092e016f1cf64611f5e9466b3df8dbdf545028e1caf9b83af95d923601443f3a8d12f6b37bffd45b4a2f056429902450c

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
536KB

MD5
31685b921fcd439185495e2bdc8c5ebf

SHA1
5d171dd1f2fc2ad55bde2e3c16a58abff07ae636

SHA256
4798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c

SHA512
04a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
525KB

MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
536KB

MD5
4abf57a2637d22892921fcb9b9ce809c

SHA1
d43d1a117b8f79fa202bf5e6e4550b33cc1a47aa

SHA256
fd7e29d591c7286c9213939c0369de42a7c8b86f103217ec1d49751b5e7f6369

SHA512
e813d6d0b04beb2f2a7c2f27055da4afa41cf7f9aaf1d2ff10696c3e6ebb5387ff1f2b8547737005dce66cb3ce20805776811177a42f4539c1659753994e2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
Filesize
186KB

MD5
4c3ea656b6c97b851dfe616bafba1af8

SHA1
b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d

SHA256
198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660

SHA512
5a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
Filesize
186KB

MD5
4c3ea656b6c97b851dfe616bafba1af8

SHA1
b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d

SHA256
198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660

SHA512
5a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\88B7DA~1.EXE
Filesize
267KB

MD5
ecc2185381681dcfdb4b41623ca697fd

SHA1
4912ec1b5960e5c2f4b737b4313a50a94b6d98cf

SHA256
43b21a1b3cffc0b2cde74be5cdbd61afa151dd2d412af3504adb86d1d3e2d9c1

SHA512
23fff074c1ce90970df8ab4ec9864799bd975511faaf0b25fa782b2124e7b6f23de15bcb0af4badce146eab6b06ad803ca43a4c9888570d79380cc97371e6513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88b7da58a3e62f24b08f565445b53900.exe
Filesize
186KB

MD5
4c3ea656b6c97b851dfe616bafba1af8

SHA1
b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d

SHA256
198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660

SHA512
5a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71

Download Submit
C:\Users\Admin\windows.exe
Filesize
186KB

MD5
4c3ea656b6c97b851dfe616bafba1af8

SHA1
b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d

SHA256
198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660

SHA512
5a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71

Download Submit
C:\Users\Admin\windows.exe
Filesize
186KB

MD5
4c3ea656b6c97b851dfe616bafba1af8

SHA1
b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d

SHA256
198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660

SHA512
5a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/632-136-0x0000000000000000-mapping.dmp

Download
memory/4040-142-0x0000000000000000-mapping.dmp

Download
memory/4956-135-0x00000000741B0000-0x0000000074761000-memory.dmp

Filesize
5.7MB

Download
memory/4956-144-0x00000000741B0000-0x0000000074761000-memory.dmp

Filesize
5.7MB

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download
memory/5032-143-0x00000000741B0000-0x0000000074761000-memory.dmp

Filesize
5.7MB

Download
memory/5032-140-0x0000000000000000-mapping.dmp

Download
memory/5032-145-0x00000000741B0000-0x0000000074761000-memory.dmp

Filesize
5.7MB

Download