neshta | 275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9

Analysis

max time kernel
49s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Size

308KB
MD5

6bff1c64f637e898172cc3f7e4e0aa50
SHA1

e349508176e4f609df50635afadda695998ab888
SHA256

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9
SHA512

394b29c6a45200b3b37037667479516f30737707012a62a7dba0e8322d95e911f09cc1eb89b89f5c107b2d5149389e691ed25651c7d6deaf17cf4c1ad12811ba
SSDEEP

6144:jyH7xOc6H5c6HcT66vlmrI+JfLNf+EemmTAfUPYFEiMZ64xyUeRUqB1a:jax+BLN3afPOElN3e+

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	family_neshta
\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 4 IoCs

Processes:

svchost.exe275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exesvchost.exe275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

pid	process
2028	svchost.exe
2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
784	svchost.exe
1732	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

Loads dropped DLL 7 IoCs

Processes:

svchost.exe275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

pid	process
2028	svchost.exe
2028	svchost.exe
2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

Drops file in Windows directory 2 IoCs

Processes:

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

description	ioc	process
File created	C:\Windows\svchost.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
File opened for modification	C:\Windows\svchost.com	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

pid process

1732 275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

pid process

1732 275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

pid	process
1732	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

pid	process
1732	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exesvchost.exe275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

description	pid	process	target process
PID 1380 wrote to memory of 2028	1380	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	svchost.exe
PID 1380 wrote to memory of 2028	1380	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	svchost.exe
PID 1380 wrote to memory of 2028	1380	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	svchost.exe
PID 1380 wrote to memory of 2028	1380	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	svchost.exe
PID 2028 wrote to memory of 2020	2028	svchost.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
PID 2028 wrote to memory of 2020	2028	svchost.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
PID 2028 wrote to memory of 2020	2028	svchost.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
PID 2028 wrote to memory of 2020	2028	svchost.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
PID 2020 wrote to memory of 1732	2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
PID 2020 wrote to memory of 1732	2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
PID 2020 wrote to memory of 1732	2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
PID 2020 wrote to memory of 1732	2020	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe	275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe

C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
"C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
"C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe"
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\3582-490\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Filesize
272KB

MD5
0aedda5b764de400602458f5f3ec8387

SHA1
7de3626697533eea1b007a1622ac814a531e4aaf

SHA256
9309af0c0fbc26c3718096152a4d06ca5311656dbb84f6f27ec4580eb0f0134e

SHA512
7ce2d5c5eff8215b91caa5f9b3bbdee2a8e5cdddc3675c8c6e20d30bccc715881d1238cc1ce0befa1f552434630ffdb636cce1d740ee725ddff35cfd3de4bf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Filesize
272KB

MD5
0aedda5b764de400602458f5f3ec8387

SHA1
7de3626697533eea1b007a1622ac814a531e4aaf

SHA256
9309af0c0fbc26c3718096152a4d06ca5311656dbb84f6f27ec4580eb0f0134e

SHA512
7ce2d5c5eff8215b91caa5f9b3bbdee2a8e5cdddc3675c8c6e20d30bccc715881d1238cc1ce0befa1f552434630ffdb636cce1d740ee725ddff35cfd3de4bf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Filesize
232KB

MD5
7e2c523a1d263ded98c69b2ffd328d1a

SHA1
947a2fe4486ba050fbd4cb837bde1387bcc34f88

SHA256
d621099d631f5f4b8ccdd8d33ec23003112ed64d3f30fba46ac9f9c802fdcae5

SHA512
cb6c63d6660a79f9a0e9dce38c4d4aee9f32819615e2a844a30f2907563cf4ed1c7029c69c3aa7974217581612865b4efb6a9759b0ea1dba63292072cbc286b7

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe
Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
15e2192b38b8c6162f477113b8ce027d

SHA1
673074054a49a25e9baf6fe2fc7cf8cfc8ae110a

SHA256
4a20c212912cb30990048b595bb1bd396672200f97518e01cc810d4566bb3a52

SHA512
d2427b1c786c13723697f55377a12be0a9cf097d01fd6ec16ec5777e79cc0a1234d5f82d52705e7a9b4a73815e0ce097d2ee39d90317b9fc776cffb15736065a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Filesize
272KB

MD5
0aedda5b764de400602458f5f3ec8387

SHA1
7de3626697533eea1b007a1622ac814a531e4aaf

SHA256
9309af0c0fbc26c3718096152a4d06ca5311656dbb84f6f27ec4580eb0f0134e

SHA512
7ce2d5c5eff8215b91caa5f9b3bbdee2a8e5cdddc3675c8c6e20d30bccc715881d1238cc1ce0befa1f552434630ffdb636cce1d740ee725ddff35cfd3de4bf3f

Download Submit
\Users\Admin\AppData\Local\Temp\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Filesize
272KB

MD5
0aedda5b764de400602458f5f3ec8387

SHA1
7de3626697533eea1b007a1622ac814a531e4aaf

SHA256
9309af0c0fbc26c3718096152a4d06ca5311656dbb84f6f27ec4580eb0f0134e

SHA512
7ce2d5c5eff8215b91caa5f9b3bbdee2a8e5cdddc3675c8c6e20d30bccc715881d1238cc1ce0befa1f552434630ffdb636cce1d740ee725ddff35cfd3de4bf3f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Filesize
232KB

MD5
7e2c523a1d263ded98c69b2ffd328d1a

SHA1
947a2fe4486ba050fbd4cb837bde1387bcc34f88

SHA256
d621099d631f5f4b8ccdd8d33ec23003112ed64d3f30fba46ac9f9c802fdcae5

SHA512
cb6c63d6660a79f9a0e9dce38c4d4aee9f32819615e2a844a30f2907563cf4ed1c7029c69c3aa7974217581612865b4efb6a9759b0ea1dba63292072cbc286b7

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\275538fc9f2e606a5b9cfb94b939278a965fc6eb4ed94e2a72bb03277cdaffd9.exe
Filesize
232KB

MD5
7e2c523a1d263ded98c69b2ffd328d1a

SHA1
947a2fe4486ba050fbd4cb837bde1387bcc34f88

SHA256
d621099d631f5f4b8ccdd8d33ec23003112ed64d3f30fba46ac9f9c802fdcae5

SHA512
cb6c63d6660a79f9a0e9dce38c4d4aee9f32819615e2a844a30f2907563cf4ed1c7029c69c3aa7974217581612865b4efb6a9759b0ea1dba63292072cbc286b7

Download Submit
memory/1732-66-0x0000000000000000-mapping.dmp

Download
memory/2020-61-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/2020-59-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads