neshta | 78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361

General

Target

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
Size

265KB
MD5

3ac0d935228460fdc38bdab692d71b0c
SHA1

d08f753af5b5d9be3352495189be6fd4914ad8e1
SHA256

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
SHA512

04376fc469808504a8071f0b9baa35c4f922d7b69c4d4c6e77309022f95cf916a80b758a6733154f36e8be59d928b93903eec47a6df32e96b2ef3b4b6f0fde54
SSDEEP

6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN

Score

10^/10

neshta venus persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Venus
Venus is a ransomware first seen in 2022.
ransomware venus

Venus Ransomware 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	family_venus
C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	family_venus
C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	family_venus
behavioral1/memory/1316-61-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
C:\Windows\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	family_venus
behavioral1/memory/1052-70-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus
behavioral1/memory/1052-72-0x0000000000400000-0x000000000043E000-memory.dmp	family_venus

Executes dropped EXE 3 IoCs

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exesvchost.com

pid	process
1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
1384	svchost.com

Loads dropped DLL 2 IoCs

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

pid	process
1768	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
1768	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe = "C:\\Windows\\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe"	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

description	ioc	process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

description	ioc	process
File opened (read-only)	\??\E:	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened (read-only)	\??\F:	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Drops file in Program Files directory 64 IoCs

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Drops file in Windows directory 5 IoCs

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exesvchost.com78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

description	ioc	process
File created	C:\Windows\18374211581972527219.png	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
File created	C:\Windows\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1580 taskkill.exe

pid	process
1580	taskkill.exe

Modifies registry class 4 IoCs

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus\DefaultIcon\ = "C:\\Windows\\18374211581972527219.png"	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.venus	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

960 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1428 PING.EXE

pid	process
960	NOTEPAD.EXE

pid	process
1428	PING.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exetaskkill.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
Token: SeTcbPrivilege	1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
Token: SeTakeOwnershipPrivilege	1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
Token: SeSecurityPrivilege	1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: 33	2032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2032	AUDIODG.EXE
Token: 33	2032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2032	AUDIODG.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.execmd.exe78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.execmd.exesvchost.com

description	pid	process	target process
PID 1768 wrote to memory of 1316	1768	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
PID 1768 wrote to memory of 1316	1768	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
PID 1768 wrote to memory of 1316	1768	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
PID 1768 wrote to memory of 1316	1768	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
PID 1316 wrote to memory of 1052	1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
PID 1316 wrote to memory of 1052	1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
PID 1316 wrote to memory of 1052	1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
PID 1316 wrote to memory of 1052	1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
PID 1316 wrote to memory of 676	1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	cmd.exe
PID 1316 wrote to memory of 676	1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	cmd.exe
PID 1316 wrote to memory of 676	1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	cmd.exe
PID 1316 wrote to memory of 676	1316	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	cmd.exe
PID 676 wrote to memory of 1428	676	cmd.exe	PING.EXE
PID 676 wrote to memory of 1428	676	cmd.exe	PING.EXE
PID 676 wrote to memory of 1428	676	cmd.exe	PING.EXE
PID 1052 wrote to memory of 1572	1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	cmd.exe
PID 1052 wrote to memory of 1572	1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	cmd.exe
PID 1052 wrote to memory of 1572	1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	cmd.exe
PID 1052 wrote to memory of 1572	1052	78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe	cmd.exe
PID 1572 wrote to memory of 1580	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1580	1572	cmd.exe	taskkill.exe
PID 1572 wrote to memory of 1580	1572	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 380	1384	svchost.com	explorer.exe
PID 1384 wrote to memory of 380	1384	svchost.com	explorer.exe
PID 1384 wrote to memory of 380	1384	svchost.com	explorer.exe
PID 1384 wrote to memory of 380	1384	svchost.com	explorer.exe

C:\Users\Admin\AppData\Local\Temp\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
"C:\Users\Admin\AppData\Local\Temp\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
    "C:\Windows\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe" g g g o n e123
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\System32\cmd.exe
      /C taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msftesql.exe /IM sqlagent.exe /IM sqlbrowser.exe /IM sqlservr.exe /IM sqlwriter.exe /IM oracle.exe /IM ocssd.exe /IM dbsnmp.exe /IM synctime.exe /IM mydesktopqos.exe /IM agntsvc.exe /IM isqlplussvc.exe /IM xfssvccon.exe /IM mydesktopservice.exe /IM ocautoupds.exe /IM agntsvc.exe /IM agntsvc.exe /IM agntsvc.exe /IM encsvc.exe /IM firefoxconfig.exe /IM tbirdconfig.exe /IM ocomm.exe /IM mysqld.exe /IM mysqld-nt.exe /IM mysqld-opt.exe /IM dbeng50.exe /IM sqbcoreservice.exe /IM excel.exe /IM infopath.exe /IM msaccess.exe /IM mspub.exe /IM onenote.exe /IM outlook.exe /IM powerpnt.exe /IM sqlservr.exe /IM thebat64.exe /IM thunderbird.exe /IM winword.exe /IM wordpad.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
- - C:\Windows\System32\cmd.exe
    /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:1428

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\explorer.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RestartExpand.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Filesize
225KB

MD5
8691dae21568faaeda49bcd640e1ad23

SHA1
524b589ef403ff21cf040ef33c21b1d6d8235feb

SHA256
0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

SHA512
870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Filesize
225KB

MD5
8691dae21568faaeda49bcd640e1ad23

SHA1
524b589ef403ff21cf040ef33c21b1d6d8235feb

SHA256
0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

SHA512
870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
3aae4c216c7747305c19515af79fc7a0

SHA1
b5f40b41d6849d8af1b0335a649623193c05abc4

SHA256
5f4d518c3fc80c8dac617405d613fea76a25f08ee8c217edb85fe18b3e493a41

SHA512
9ebcd3d3403df72c627a0990ebb1d0f0826393bf2730106524402e5b6f9bef5841a7cc9d3f0738387fce6682b2a862b33672fc49b69ee659c4494e1fb100079f

Download Submit
C:\Windows\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Filesize
225KB

MD5
8691dae21568faaeda49bcd640e1ad23

SHA1
524b589ef403ff21cf040ef33c21b1d6d8235feb

SHA256
0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

SHA512
870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

Filesize
225KB

MD5
8691dae21568faaeda49bcd640e1ad23

SHA1
524b589ef403ff21cf040ef33c21b1d6d8235feb

SHA256
0a1dbcff63619c4d9072484bb17b3d06300504e836e42df98eadf57e7ad0d0be

SHA512
870aedf4a6ee62cbfdc4c094ddf3da08fb603dc248e36baa9ae833b5f22e930650f97b7d1d1a78787c5ae40e03d131b1814ca34a7264cc9b311cb92f2f1eb30d

Download Submit
memory/380-77-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download
memory/380-76-0x0000000000000000-mapping.dmp

Download
memory/676-64-0x0000000000000000-mapping.dmp

Download
memory/1052-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-62-0x0000000000000000-mapping.dmp

Download
memory/1052-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-56-0x0000000000000000-mapping.dmp

Download
memory/1428-66-0x0000000000000000-mapping.dmp

Download
memory/1572-67-0x0000000000000000-mapping.dmp

Download
memory/1580-68-0x0000000000000000-mapping.dmp

Download
memory/1768-60-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/1768-71-0x0000000002630000-0x000000000266E000-memory.dmp

Filesize
248KB

Download
memory/1768-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads