neshta | e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef

Analysis

max time kernel
205s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
Size

383KB
MD5

f52d2e8a890159116942be014fa836f3
SHA1

4ec6cc20d18765f7783086d066b4f4b6ce55cda0
SHA256

e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef
SHA512

c7344a71b4b758cdc7b40f929af4a861b0a021248e89bee01dab82b5c18c2f6a47ba6a4833819b6e7a49fc51a244eb6dc9e70e652c43ffd15713a9b88d329110
SSDEEP

6144:k9nkzLyM9tsLAitQo6tzOKkzIt8gKyfjxfR9D2j4yTBwRqmpp+amNOGb:SGL3etQoMiXM8gxf/Sj4yVkqmpplpGb

Score

10^/10

neshta aspackv2 persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000800000001270c-73.dat	aspack_v212_v242

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Executes dropped EXE 3 IoCs

pid	Process
1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
1764	fservice.exe
544	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001232d-55.dat	upx
behavioral1/files/0x000a00000001232d-58.dat	upx
behavioral1/files/0x000a00000001232d-56.dat	upx
behavioral1/memory/1156-61-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/files/0x000a00000001232d-62.dat	upx
behavioral1/files/0x000900000001234f-63.dat	upx
behavioral1/files/0x000900000001234f-64.dat	upx
behavioral1/files/0x000900000001234f-66.dat	upx
behavioral1/files/0x000700000001270c-69.dat	upx
behavioral1/files/0x000900000001234f-68.dat	upx
behavioral1/files/0x0007000000012722-71.dat	upx
behavioral1/memory/1764-74-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/544-75-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/1156-78-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/1764-80-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/memory/1156-83-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral1/files/0x0007000000012722-88.dat	upx

Loads dropped DLL 7 IoCs

pid	Process
1396	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
1396	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
544	services.exe
1396	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
544	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File created	C:\Windows\system\sservice.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File opened for modification	C:\Windows\system\sservice.exe	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe
544	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
544	services.exe
544	services.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1156	1396	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	28
PID 1396 wrote to memory of 1156	1396	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	28
PID 1396 wrote to memory of 1156	1396	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	28
PID 1396 wrote to memory of 1156	1396	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	28
PID 1156 wrote to memory of 1764	1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	29
PID 1156 wrote to memory of 1764	1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	29
PID 1156 wrote to memory of 1764	1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	29
PID 1156 wrote to memory of 1764	1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	29
PID 1764 wrote to memory of 544	1764	fservice.exe	30
PID 1764 wrote to memory of 544	1764	fservice.exe	30
PID 1764 wrote to memory of 544	1764	fservice.exe	30
PID 1764 wrote to memory of 544	1764	fservice.exe	30
PID 1156 wrote to memory of 1164	1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	31
PID 1156 wrote to memory of 1164	1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	31
PID 1156 wrote to memory of 1164	1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	31
PID 1156 wrote to memory of 1164	1156	e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe	31
PID 544 wrote to memory of 1692	544	services.exe	33
PID 544 wrote to memory of 1692	544	services.exe	33
PID 544 wrote to memory of 1692	544	services.exe	33
PID 544 wrote to memory of 1692	544	services.exe	33
PID 544 wrote to memory of 900	544	services.exe	35
PID 544 wrote to memory of 900	544	services.exe	35
PID 544 wrote to memory of 900	544	services.exe	35
PID 544 wrote to memory of 900	544	services.exe	35
PID 1692 wrote to memory of 1176	1692	NET.exe	37
PID 1692 wrote to memory of 1176	1692	NET.exe	37
PID 1692 wrote to memory of 1176	1692	NET.exe	37
PID 1692 wrote to memory of 1176	1692	NET.exe	37
PID 900 wrote to memory of 428	900	NET.exe	38
PID 900 wrote to memory of 428	900	NET.exe	38
PID 900 wrote to memory of 428	900	NET.exe	38
PID 900 wrote to memory of 428	900	NET.exe	38

C:\Users\Admin\AppData\Local\Temp\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
"C:\Users\Admin\AppData\Local\Temp\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\3582-490\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\fservice.exe
    C:\Windows\system32\fservice.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\services.exe
      C:\Windows\services.exe -XP
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Executes dropped EXE
      Modifies Installed Components in the registry
      Loads dropped DLL
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP srservice
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        6⤵
        
        PID:1176
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP navapsvc
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        6⤵
        
        PID:428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\3582-490\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe.bat
    3⤵
    PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe.bat

Filesize
151B

MD5
25c3f4b8a9725a71b060efda2c41baff

SHA1
c1caa476d213779ae690da5bb2b13e4f7e66e2fc

SHA256
8fe623c385399f03f2d1c4ca2007c980c7b35e63c33a55311cc73acce4545758

SHA512
03f9b2d0522e6b8c39fdee9c15e9319b7920ef48d4e5570a439d0946853eb6b23bc9c3e18e4c1953af8dd1fb1a90f21439ea15eb209003441991451c8717acb4

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
C:\Windows\services.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
C:\Windows\services.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
C:\Windows\system\sservice.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\e65bc61723d76b4d3feb0d55063092b47bceab471c1f08e94b44b6c4a7a6f2ef.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
006227c742df208ca968d5c56519c282

SHA1
9dcd79d7e4ae8507d1a544e86d070476e5f88f44

SHA256
3988d068b90ca396f4ccb390fcf6a7d20427df7f595a1fbcafed4f62a2cddfb3

SHA512
29ba43a70912e5efd37c2c625ed86e9008a7727bce562da837bbfe0944ecca0d90c8bb9332e4da1e5c72f4c538dafc0a1b1cebc4b7a352af602ad399dd67727d

Download Submit
\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
memory/544-75-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/544-76-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/1156-61-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1156-78-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1156-83-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1396-77-0x00000000025F0000-0x00000000027EC000-memory.dmp

Filesize
2.0MB

Download
memory/1396-60-0x00000000025F0000-0x00000000027EC000-memory.dmp

Filesize
2.0MB

Download
memory/1396-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1764-74-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1764-80-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1764-79-0x0000000002F70000-0x000000000316C000-memory.dmp

Filesize
2.0MB

Download