Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 14:42
Behavioral task
behavioral1
Sample
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
Resource
win10v2004-20220812-en
General
-
Target
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe
-
Size
226KB
-
MD5
26be89e7461f820c28e795f15875c400
-
SHA1
f2a7c70b98993aa889a7accc7fa8945238f11357
-
SHA256
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a
-
SHA512
31793a5864b107f293f2496ec85221a39db013b917a074f8289f6cec69b8d44b0985ca8c50a0098c020ff8cbf36bc2ae1a827dfddd158592b47554c3f847d455
-
SSDEEP
6144:k9HbFePeusvLtNt+00ZSHgche6HR3kk0uX:8eHKBNt+xSpXx3kmX
Malware Config
Signatures
-
Detect Neshta payload 27 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\cookie_exporter.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exe family_neshta C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\88B7DA~1.EXE family_neshta C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 3 IoCs
Processes:
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exesvchost.comwindows.exepid process 4956 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe 632 svchost.com 5032 windows.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe -
Drops startup file 2 IoCs
Processes:
windows.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88b7da58a3e62f24b08f565445b53900.exe windows.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88b7da58a3e62f24b08f565445b53900.exe windows.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88b7da58a3e62f24b08f565445b53900 = "\"C:\\Users\\Admin\\windows.exe\" .." windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\88b7da58a3e62f24b08f565445b53900 = "\"C:\\Users\\Admin\\windows.exe\" .." windows.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.com1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exedescription ioc process File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.com File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe -
Drops file in Windows directory 3 IoCs
Processes:
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
windows.exepid process 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe 5032 windows.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
windows.exedescription pid process Token: SeDebugPrivilege 5032 windows.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exesvchost.comwindows.exedescription pid process target process PID 1556 wrote to memory of 4956 1556 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe PID 1556 wrote to memory of 4956 1556 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe PID 1556 wrote to memory of 4956 1556 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe PID 4956 wrote to memory of 632 4956 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe svchost.com PID 4956 wrote to memory of 632 4956 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe svchost.com PID 4956 wrote to memory of 632 4956 1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe svchost.com PID 632 wrote to memory of 5032 632 svchost.com windows.exe PID 632 wrote to memory of 5032 632 svchost.com windows.exe PID 632 wrote to memory of 5032 632 svchost.com windows.exe PID 5032 wrote to memory of 4040 5032 windows.exe netsh.exe PID 5032 wrote to memory of 4040 5032 windows.exe netsh.exe PID 5032 wrote to memory of 4040 5032 windows.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe"C:\Users\Admin\AppData\Local\Temp\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\windows.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\windows.exeC:\Users\Admin\windows.exe4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\windows.exe" "windows.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exeFilesize
125KB
MD5cce8964848413b49f18a44da9cb0a79b
SHA10b7452100d400acebb1c1887542f322a92cbd7ae
SHA256fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEFilesize
231KB
MD52a226fd810c5ce7b825ff7982bc22a0b
SHA158be5cb790336a8e751e91b1702a87fc0521a1d8
SHA256af9e01dab96c2a54e2751a0d703cc55fdcc5ac00c40f0be2e13fd85c09b66132
SHA512f122ce37b07871b88e322b0ca2e42f3170704d4165167d6d7b02883da9d2be5d2d62bdbd9f7e18d1c0c5e60e9e707a3b64ddb99150c99028333818dfa769deeb
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEFilesize
251KB
MD533cb4562e84c8bbbc8184b961e2e49ee
SHA1d6549a52911eaeebcceb5bc39d71272d3b8f5111
SHA2561f455ea6bab09377e5fdfbd5df102f79c5cbbb5fe5ce456f2fbb34f94ec848bb
SHA5120b638a6e86816ba5d83de5fc381c85371f2f4fe0a2fdff40141859a42e255a082903e5692a49ef253265a42ec99924e5a0aa150cb7ed6cd5521f42f6c9fe27a9
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXEFilesize
179KB
MD56eb5faf8c8634b7286d08081e0c8837b
SHA1e6d529c98beb26a4dcea5eb343d8e58a1a803909
SHA256a72941f00bede95f64219f77d20acbfb3f60f783fbd0fe4dae8cbcb8edea673e
SHA5122528b4ac550c62e6ba884670c0f60dfb8d446875e01d2d93e5cbe9c7014a556b81ae98d7c23805070f18434fb48c8ee3766267e0c3e6856c0729621cec554dd7
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exeFilesize
537KB
MD5365a79a3103889da0d1034eef90e150b
SHA19c6d6600212ceb9b712fea1d99d85e7ef7f748eb
SHA25649593d97b8367cddb5e341e367c851573c076fa052639e08d933e5203b77b5ef
SHA51208ad848319600e122f9de12d103104ea155be17205171669cd305e3c9d9ac500a4dc10938b1c094b2705a13b4aa2b67344a59635ed7cedc95e52e9eba9371684
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exeFilesize
3.2MB
MD5fe1b69272105afc35c59fdde851a0e73
SHA17407f32ccd3d444aac532dfa2dee59d6d38fb91a
SHA256f68ee8f47c69284ceabde249d8f9406f35f085353a299a8707a24c6b34b775c6
SHA51292fc046442048f67e0a5612f3d63e9b986d7803469737c226825415e91a9b2fdebd02bd951d082806cc8944e422c79ef29ffa4653a6364f4c1f5681c7ba043a3
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\cookie_exporter.exeFilesize
156KB
MD55ad8dd7a663f101ffeddfcd6bae2f9cf
SHA167fabad5399c2e46191c1132e0874a6cc2b208f8
SHA2566a4a49328946be26ca31632af3e5441ba2b8247a51671de188c86821f1eb890b
SHA5121db427eee862578fa4ce1e40071df6e5b6db3f67546d15a497a4714ee4b1de6dd8d7aba73681dc8e9f23f135f5ca71dcd8dfd9abaf1620ab578e5ef63e36968a
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exeFilesize
1.7MB
MD52a52fd23291f3caca91b559c3dcd637f
SHA1c2cef19fcb10d45e5e1c437a7e4246d500ed09a3
SHA2562a228d131fd39876865c31dadd000193978618637ca12408e42f4060aa2f466c
SHA512f189c9f0b68d6d6842113e048356565569f67e7e63c6d4563913c99038f0a0bb54b750f37c098a50936eb115d751265314abde27d5014c6c73011c031f82b248
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exeFilesize
1.1MB
MD504a1f566e84e3195b2da69ad9f3cd3c6
SHA166cf405b03dee4e8792b140b0f01913258c39f3f
SHA2561783558c3b30f7c09efd44b76a09d85073bbdf27bdbc46de61783b9f7a76f3d2
SHA51261e9543b78a31235a25ebc3135334fb1ded0124df8662074ac9944ef4086e920cc1c741e89a316cf44c53106f66254c605fb53e13d850f55d7de34191f405ad5
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exeFilesize
3.7MB
MD5e1545cbdd197de221913344565f16c76
SHA13672b92456462879827edb7041bab80812ff8edd
SHA2566ecc928d1a67f292103a6731630a942cf8b9bcb52ab6a1d47ed4f9202751b110
SHA512a8186842890a851a9760d821d42490620e4e9f7906908ac63547913f9411502f45847155d844824e646068529b4112c7acd07ee1840294a347e07d293c0309ac
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exeFilesize
1.1MB
MD55423852b85f3cd0628f3a242e1e9eebe
SHA11264f6ee997a1876062952dbb7ceae06c2732792
SHA256385fd4beecebd8c3702413373be358994e1af9481c88148613026f737a855f93
SHA5124fb16f3c8198e77437b609e05831421a2d9a5597f83ac22819787082f52ffd1a5a626ff99c137a99ad8b6eca40bb2111a347e67e0351be4d8235a26517475300
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exeFilesize
1.8MB
MD5e9db236130389516b93f40c919c2619b
SHA12722717f25122719010bdb0b49bcbb6f9a9d69ac
SHA2563d3c7ff298fa5d2914470fc32fcb92a82d1ce8924933221895bcbab49d29eab8
SHA5125bc6fbd9f97754bf4ec44ee7101d86657a35af6ee3a1b0b79bba4fbffffbfbf3b5836bffe9dd7db495c5688c8b7b291e52b0a6c89ea1f5e41e79507e49f30598
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exeFilesize
3.2MB
MD5816bf809bdab7e95c6f16b38f619a527
SHA15bc139e11d077e8fa88394fb610f63f629f3b86d
SHA25675367284d50434c966d4126241682829523a0baa1c03163b9383433182433a75
SHA5121e7fbdbfcfb805691ca402acb7da16222da3f6d923db3cc5fe36cb7e677159f5a4b3ab8397d4d34ed82dc389220721bd40d37e35ecc57411133a1601fca1555c
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exeFilesize
1.3MB
MD52a46785ab8b2aad2bf6630d12a17a6ce
SHA1e9704d280ea3589c3b4c1d808a5ff0efe83bc330
SHA2561bb2b789bf7890e583958a213a20a20c920972ecac9e1874c04b49d28f69f224
SHA5125efb0fdfbadca4698879249f5a2d07846012394c50695f663c18f469e887124819537bb71b179d427886e1325bc201cd28bd499fb75d2bdff01dfdf8a13db94e
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exeFilesize
1.1MB
MD525689bf879a14f124ea71db500ddb522
SHA136dc53850fef561a5ecbb3acdaaaa8aa7868c14c
SHA2562bd534244e50c34d36957c30cb26077ef7e91635eb93df15d1b16c867b125c3f
SHA512fc182276d7187bbb941c171dc70900bdbf81591f83559dd3c0be2f2467ca66c853a5e5cc6affff5870cd0fbd6dcd0db69bb8f55068085eb39fb61b3cfdcd0ed3
-
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exeFilesize
534KB
MD58a403bc371b84920c641afa3cf9fef2f
SHA1d6c9d38f3e571b54132dd7ee31a169c683abfd63
SHA256614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3
SHA512b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD532853955255a94fcd7587ca9cbfe2b60
SHA1c33a88184c09e89598f0cabf68ce91c8d5791521
SHA25664df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330
SHA5128566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
526KB
MD5cc5020b193486a88f373bedca78e24c8
SHA161744a1675ce10ddd196129b49331d517d7da884
SHA256e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a
SHA512bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD524179b4581907abfef8a55ab41c97999
SHA1e4de417476f43da4405f4340ebf6044f6b094337
SHA256a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7
SHA5126fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
715KB
MD598cdb9e27473946387a8e70e610a4887
SHA1d0f978cff0fc003da6621480e628a6238cbfd139
SHA2566e07f388a7fcf695e004d7216e8efcac9ebf73715030f9cbba4ef4c5f82459f4
SHA5123be19e9c8ddc3798e4d67b1f0a3bf4b092e016f1cf64611f5e9466b3df8dbdf545028e1caf9b83af95d923601443f3a8d12f6b37bffd45b4a2f056429902450c
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD531685b921fcd439185495e2bdc8c5ebf
SHA15d171dd1f2fc2ad55bde2e3c16a58abff07ae636
SHA2564798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c
SHA51204a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD50d9146d70ac6a41ead1ea2d50d729508
SHA1b9e6ff83a26aaf105640f5d5cdab213c989dc370
SHA2560b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab
SHA512c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
536KB
MD54abf57a2637d22892921fcb9b9ce809c
SHA1d43d1a117b8f79fa202bf5e6e4550b33cc1a47aa
SHA256fd7e29d591c7286c9213939c0369de42a7c8b86f103217ec1d49751b5e7f6369
SHA512e813d6d0b04beb2f2a7c2f27055da4afa41cf7f9aaf1d2ff10696c3e6ebb5387ff1f2b8547737005dce66cb3ce20805776811177a42f4539c1659753994e2506
-
C:\Users\Admin\AppData\Local\Temp\3582-490\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exeFilesize
186KB
MD54c3ea656b6c97b851dfe616bafba1af8
SHA1b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d
SHA256198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660
SHA5125a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71
-
C:\Users\Admin\AppData\Local\Temp\3582-490\1861ade663893cedf8c9bfbfbb397220dec8cbc0bf7773c4a042d0bab07d5f2a.exeFilesize
186KB
MD54c3ea656b6c97b851dfe616bafba1af8
SHA1b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d
SHA256198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660
SHA5125a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\88B7DA~1.EXEFilesize
267KB
MD5ecc2185381681dcfdb4b41623ca697fd
SHA14912ec1b5960e5c2f4b737b4313a50a94b6d98cf
SHA25643b21a1b3cffc0b2cde74be5cdbd61afa151dd2d412af3504adb86d1d3e2d9c1
SHA51223fff074c1ce90970df8ab4ec9864799bd975511faaf0b25fa782b2124e7b6f23de15bcb0af4badce146eab6b06ad803ca43a4c9888570d79380cc97371e6513
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\88b7da58a3e62f24b08f565445b53900.exeFilesize
186KB
MD54c3ea656b6c97b851dfe616bafba1af8
SHA1b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d
SHA256198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660
SHA5125a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71
-
C:\Users\Admin\windows.exeFilesize
186KB
MD54c3ea656b6c97b851dfe616bafba1af8
SHA1b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d
SHA256198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660
SHA5125a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71
-
C:\Users\Admin\windows.exeFilesize
186KB
MD54c3ea656b6c97b851dfe616bafba1af8
SHA1b1ed0eac48b1d7e3cbe3e465fb3dfd0df801272d
SHA256198e6cf667d66a1a147bc5b955da5cdec090f84c19b64b2c2f6983d992713660
SHA5125a2f8f988e438b66b3cc304796b80f6ff582e7c4032b6faf8d17377c2de852dd5c1b7b10a3253f0e137d5db696bb9a85c96561d407ac35703a4b4fd457ef4e71
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/632-136-0x0000000000000000-mapping.dmp
-
memory/4040-142-0x0000000000000000-mapping.dmp
-
memory/4956-135-0x00000000741B0000-0x0000000074761000-memory.dmpFilesize
5.7MB
-
memory/4956-144-0x00000000741B0000-0x0000000074761000-memory.dmpFilesize
5.7MB
-
memory/4956-132-0x0000000000000000-mapping.dmp
-
memory/5032-143-0x00000000741B0000-0x0000000074761000-memory.dmpFilesize
5.7MB
-
memory/5032-140-0x0000000000000000-mapping.dmp
-
memory/5032-145-0x00000000741B0000-0x0000000074761000-memory.dmpFilesize
5.7MB