neshta | b1ad65642a74badfaf05621a5c8967bd36e809d9acb10e597af3170a5d60dd4b

Analysis

max time kernel
129s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Desktop.exe
Size

1023KB
MD5

373e456dd503af72dd73a354ee0f3727
SHA1

0a0abdf14bb5e185c6fded5665b5ab2a19458b1e
SHA256

b1ad65642a74badfaf05621a5c8967bd36e809d9acb10e597af3170a5d60dd4b
SHA512

97d7988b9573fa72381946e783a82d7effe9fa018a1c163c24f70faf0fa6db2fd33a9424a46ebecf91af64879ae10a5c9d674643e8227705bc3a9180c5cdbd4d
SSDEEP

24576:ygZXoZUTVdt7K1wsm7H3BBtpD9sGFIj72IOK02dgGaheZ:xdZbn3DZIj72IP0qXaIZ

Score

10^/10

neshta ramnit xworm banker persistence rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

xworm

words-cells.at.ply.gg:44752

Attributes

install_file
revitool.exe

Signatures

Detect Neshta payload 13 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023246-201.dat	family_neshta
behavioral1/files/0x0006000000023246-205.dat	family_neshta
behavioral1/files/0x0004000000009f6b-227.dat	family_neshta
behavioral1/memory/3904-252-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-340-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-344-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-352-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-356-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-360-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-366-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-380-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-384-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3904-388-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	NN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	Desktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	VPNGrabber.exe

Executes dropped EXE 12 IoCs

pid	Process
684	VPNGrabber.exe
4488	svchost.exe
3904	NN.exe
2476	lite.exe
4320	1.exe
2752	2.exe
1992	1.exe
4448	1Srv.exe
4988	NN.exe
952	DesktopLayer.exe
2300	svchost.exe
1656	svchost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	NN.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023262-220.dat	upx
behavioral1/files/0x0006000000023262-222.dat	upx
behavioral1/memory/4448-231-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0007000000023264-230.dat	upx
behavioral1/files/0x0007000000023264-229.dat	upx
behavioral1/memory/952-235-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	NN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	1Srv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	NN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	NN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~3.EXE	NN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	NN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	NN.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	NN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	NN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\ELEVAT~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\MSEDGE~3.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\BHO\IE_TO_~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~4.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	NN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	NN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3DB5.tmp	1Srv.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MIA062~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	NN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	NN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	NN.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	NN.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\NOTIFI~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\PWAHEL~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	NN.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	1Srv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\IDENTI~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\MSEDGE~1.EXE	NN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13175~1.29\MICROS~1.EXE	NN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MI391D~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\INSTAL~1\setup.exe	NN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	NN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\114018~1.51\COOKIE~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	NN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	NN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	NN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4684	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1294435626"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042638"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31042638"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{77595DF7-1841-11EE-94FE-42A8D75FB09A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1281312343"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1281312343"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "395002979"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042638"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	NN.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4488	svchost.exe
952	DesktopLayer.exe
952	DesktopLayer.exe
952	DesktopLayer.exe
952	DesktopLayer.exe
952	DesktopLayer.exe
952	DesktopLayer.exe
952	DesktopLayer.exe
952	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	svchost.exe
Token: SeDebugPrivilege	4488	svchost.exe
Token: SeDebugPrivilege	2300	svchost.exe
Token: SeDebugPrivilege	1656	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2072	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4488	svchost.exe
2072	iexplore.exe
2072	iexplore.exe
3792	IEXPLORE.EXE
3792	IEXPLORE.EXE
3792	IEXPLORE.EXE
3792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3836	1656	Desktop.exe	86
PID 1656 wrote to memory of 3836	1656	Desktop.exe	86
PID 1656 wrote to memory of 3836	1656	Desktop.exe	86
PID 3836 wrote to memory of 684	3836	cmd.exe	89
PID 3836 wrote to memory of 684	3836	cmd.exe	89
PID 684 wrote to memory of 4488	684	VPNGrabber.exe	90
PID 684 wrote to memory of 4488	684	VPNGrabber.exe	90
PID 4488 wrote to memory of 4684	4488	svchost.exe	94
PID 4488 wrote to memory of 4684	4488	svchost.exe	94
PID 3836 wrote to memory of 3904	3836	cmd.exe	99
PID 3836 wrote to memory of 3904	3836	cmd.exe	99
PID 3836 wrote to memory of 3904	3836	cmd.exe	99
PID 3836 wrote to memory of 2476	3836	cmd.exe	100
PID 3836 wrote to memory of 2476	3836	cmd.exe	100
PID 3836 wrote to memory of 2476	3836	cmd.exe	100
PID 3836 wrote to memory of 4320	3836	cmd.exe	101
PID 3836 wrote to memory of 4320	3836	cmd.exe	101
PID 3836 wrote to memory of 4320	3836	cmd.exe	101
PID 3836 wrote to memory of 2752	3836	cmd.exe	102
PID 3836 wrote to memory of 2752	3836	cmd.exe	102
PID 3836 wrote to memory of 2752	3836	cmd.exe	102
PID 3836 wrote to memory of 1992	3836	cmd.exe	103
PID 3836 wrote to memory of 1992	3836	cmd.exe	103
PID 3836 wrote to memory of 1992	3836	cmd.exe	103
PID 1992 wrote to memory of 4448	1992	1.exe	104
PID 1992 wrote to memory of 4448	1992	1.exe	104
PID 1992 wrote to memory of 4448	1992	1.exe	104
PID 3904 wrote to memory of 4988	3904	NN.exe	105
PID 3904 wrote to memory of 4988	3904	NN.exe	105
PID 3904 wrote to memory of 4988	3904	NN.exe	105
PID 4448 wrote to memory of 952	4448	1Srv.exe	106
PID 4448 wrote to memory of 952	4448	1Srv.exe	106
PID 4448 wrote to memory of 952	4448	1Srv.exe	106
PID 952 wrote to memory of 2072	952	DesktopLayer.exe	107
PID 952 wrote to memory of 2072	952	DesktopLayer.exe	107
PID 2072 wrote to memory of 3792	2072	iexplore.exe	108
PID 2072 wrote to memory of 3792	2072	iexplore.exe	108
PID 2072 wrote to memory of 3792	2072	iexplore.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\if_temp_292\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Users\Admin\AppData\Local\Temp\if_temp_292\VPNGrabber.exe
    VPNGrabber.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Users\Admin\svchost.exe
      "C:\Users\Admin\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4684
- - C:\Users\Admin\AppData\Local\Temp\if_temp_292\3\NN.exe
    3\NN.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\NN.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\NN.exe"
      4⤵
      Executes dropped EXE
      PID:4988
- - C:\Users\Admin\AppData\Local\Temp\if_temp_292\4\lite.exe
    4\lite.exe
    3⤵
    - Executes dropped EXE
    PID:2476
- - C:\Users\Admin\AppData\Local\Temp\if_temp_292\5\1.exe
    5\1.exe
    3⤵
    - Executes dropped EXE
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\if_temp_292\5\2.exe
    5\2.exe
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\if_temp_292\6\1.exe
    6\1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\if_temp_292\6\1Srv.exe
      C:\Users\Admin\AppData\Local\Temp\if_temp_292\6\1Srv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4448
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:17410 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3792

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\svchost.exe
C:\Users\Admin\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QM3UZKSX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\NN.exe

Filesize
92KB

MD5
55ada1964bf202d9210c76794b55a0da

SHA1
af0423e9b6fd5aa049d8aec355d40ca64c2e0bce

SHA256
b30f5c1f2acf361196ace19a4d62b4a8575db190373f124fda12359f131dcd21

SHA512
528042a688dbff422ab24a6bf9bc13441b2dc269f04cf4c7b2d9335a9de841e41551e4322c51d846cb7c7b1dd6469a5043ce7028bc845b80b7e222efeedf473e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\NN.exe

Filesize
92KB

MD5
55ada1964bf202d9210c76794b55a0da

SHA1
af0423e9b6fd5aa049d8aec355d40ca64c2e0bce

SHA256
b30f5c1f2acf361196ace19a4d62b4a8575db190373f124fda12359f131dcd21

SHA512
528042a688dbff422ab24a6bf9bc13441b2dc269f04cf4c7b2d9335a9de841e41551e4322c51d846cb7c7b1dd6469a5043ce7028bc845b80b7e222efeedf473e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\NN.exe

Filesize
92KB

MD5
55ada1964bf202d9210c76794b55a0da

SHA1
af0423e9b6fd5aa049d8aec355d40ca64c2e0bce

SHA256
b30f5c1f2acf361196ace19a4d62b4a8575db190373f124fda12359f131dcd21

SHA512
528042a688dbff422ab24a6bf9bc13441b2dc269f04cf4c7b2d9335a9de841e41551e4322c51d846cb7c7b1dd6469a5043ce7028bc845b80b7e222efeedf473e

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\3\NN.exe

Filesize
133KB

MD5
facfd5ab6a6845f63ccc58ddf2787f84

SHA1
e08c3d47b5866e5f3153e4c34ccc840f5e7742f7

SHA256
ad0d34a2459be6a2af93a2659aa1e64982e1307a1ae6b5b02ffe6c12e96bd51f

SHA512
92cb895af033633ae444a96247ddcf8ed43f298399c7c37ee9fab9fae254df42f5f28a5c7b7c85e5bb0fa78fb5af8b73ce128312175c6072be8c07e25680d68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\3\NN.exe

Filesize
133KB

MD5
facfd5ab6a6845f63ccc58ddf2787f84

SHA1
e08c3d47b5866e5f3153e4c34ccc840f5e7742f7

SHA256
ad0d34a2459be6a2af93a2659aa1e64982e1307a1ae6b5b02ffe6c12e96bd51f

SHA512
92cb895af033633ae444a96247ddcf8ed43f298399c7c37ee9fab9fae254df42f5f28a5c7b7c85e5bb0fa78fb5af8b73ce128312175c6072be8c07e25680d68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\4\lite.exe

Filesize
249KB

MD5
c54fe8ac8a8e3f6b502b31274c87ac7c

SHA1
59adbaed4ffd27b6e775ce0e7e57c5fc23e857f5

SHA256
35a72cf24cea8b95f5b0a09e84ff1544c14fcf3a13d2b6e04d46c86d01ee2993

SHA512
6ab6d21a647d9f56c30632f26c847dce699ced169c4128d8c23c943ccfce29058215363d759484b5e232bd429e862e84ad6f3943ebb00a3e4a550541774029a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\4\lite.exe

Filesize
249KB

MD5
c54fe8ac8a8e3f6b502b31274c87ac7c

SHA1
59adbaed4ffd27b6e775ce0e7e57c5fc23e857f5

SHA256
35a72cf24cea8b95f5b0a09e84ff1544c14fcf3a13d2b6e04d46c86d01ee2993

SHA512
6ab6d21a647d9f56c30632f26c847dce699ced169c4128d8c23c943ccfce29058215363d759484b5e232bd429e862e84ad6f3943ebb00a3e4a550541774029a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\5\1.exe

Filesize
316KB

MD5
7f31508d95be3fe50e4e9aa646e86a12

SHA1
c61b439d6e17d630728f48c09b36af2647940748

SHA256
994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

SHA512
2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\5\2.exe

Filesize
316KB

MD5
135eeb256e92d261066cfd3ffd31fb3e

SHA1
5c275ffd2ab1359249bae8c91bebcab19a185e91

SHA256
f0fe346146c30129ed6f507906c973f1a54c7d8dd8821c97e9b6edc42545699d

SHA512
a3792f92b116851023620d862cac6d2b5542de41390b6b8d223074db94193f0ee6dfcc9d6588ea3e77173f73c7fdfc5f9a1e1044c597636fe275d9ff4b76a12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\6\1.exe

Filesize
167KB

MD5
73d51997f201501a641743db5494f864

SHA1
01a10a3f7d3e62e70538273285f4f4ef75793465

SHA256
7d0eb3c271e15811bfce3acebdbe17cb7d91ed01b988092d050ab9b88bbf367f

SHA512
28549142ffc196a5b23110f1999f56c25491ab3c31f2a3896bdb57d8fcb852487fb3e7b648366f998decfbdb910aadf74036729d24660ab9a1972aea190310eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\6\1.exe

Filesize
167KB

MD5
73d51997f201501a641743db5494f864

SHA1
01a10a3f7d3e62e70538273285f4f4ef75793465

SHA256
7d0eb3c271e15811bfce3acebdbe17cb7d91ed01b988092d050ab9b88bbf367f

SHA512
28549142ffc196a5b23110f1999f56c25491ab3c31f2a3896bdb57d8fcb852487fb3e7b648366f998decfbdb910aadf74036729d24660ab9a1972aea190310eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\6\1Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\6\1Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\VPNGrabber.exe

Filesize
91KB

MD5
57739fd60a74b89640d3a010542d5188

SHA1
1402473809a3d49a166f3ad8b603a4db775c46a3

SHA256
29323e1e50ffd24045fbd4e7a75acb5703d428b0a78220a470c317c2b31cbd3f

SHA512
1e79a49644a47dbfffe993357056e48e17cdf346cec5230a0fc42cbc45e8f882ba3c0a62e179cdeb2ca9c67158a78ef20f983abeefa48a08e372024681d6cd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\VPNGrabber.exe

Filesize
91KB

MD5
57739fd60a74b89640d3a010542d5188

SHA1
1402473809a3d49a166f3ad8b603a4db775c46a3

SHA256
29323e1e50ffd24045fbd4e7a75acb5703d428b0a78220a470c317c2b31cbd3f

SHA512
1e79a49644a47dbfffe993357056e48e17cdf346cec5230a0fc42cbc45e8f882ba3c0a62e179cdeb2ca9c67158a78ef20f983abeefa48a08e372024681d6cd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\if_temp_292\start.bat

Filesize
239B

MD5
da68d877e6937a9b6b9879ff76e7260d

SHA1
af24de7771272dbd56ffbe2c013be85d9c606f66

SHA256
028ae0428ebb23b5fb6211aedf57c65617707f35cc23fbba01f0fc6bb9591a25

SHA512
84b4165873da9e14dfecac56e77457456eda86f2537cd0b4188ec2536ff9f2f49c64dfff5b22e63831838da7209b7014cebaa4f6729b2b2bd4c390a4f6f61624

Download Submit
C:\Users\Admin\svchost.exe

Filesize
78KB

MD5
86b5420f63fa6c7397ec63abed183017

SHA1
964f362a68d4e93dc44abc3e1295089dfde8f647

SHA256
7c8c33abe841c1ab5ea2e0189abce3aab6c98612191e99e8529cbb813ba290cf

SHA512
697ffcc1a536ee5e96f8d55ab5fba9f597a93fcb4902ac2524af5e8d55eaef78a21b1ab45151ee9b8cf27f2209d0646d81699ac6e06bdde5cee1a279af433561

Download Submit
C:\Users\Admin\svchost.exe

Filesize
78KB

MD5
86b5420f63fa6c7397ec63abed183017

SHA1
964f362a68d4e93dc44abc3e1295089dfde8f647

SHA256
7c8c33abe841c1ab5ea2e0189abce3aab6c98612191e99e8529cbb813ba290cf

SHA512
697ffcc1a536ee5e96f8d55ab5fba9f597a93fcb4902ac2524af5e8d55eaef78a21b1ab45151ee9b8cf27f2209d0646d81699ac6e06bdde5cee1a279af433561

Download Submit
C:\Users\Admin\svchost.exe

Filesize
78KB

MD5
86b5420f63fa6c7397ec63abed183017

SHA1
964f362a68d4e93dc44abc3e1295089dfde8f647

SHA256
7c8c33abe841c1ab5ea2e0189abce3aab6c98612191e99e8529cbb813ba290cf

SHA512
697ffcc1a536ee5e96f8d55ab5fba9f597a93fcb4902ac2524af5e8d55eaef78a21b1ab45151ee9b8cf27f2209d0646d81699ac6e06bdde5cee1a279af433561

Download Submit
C:\Users\Admin\svchost.exe

Filesize
78KB

MD5
86b5420f63fa6c7397ec63abed183017

SHA1
964f362a68d4e93dc44abc3e1295089dfde8f647

SHA256
7c8c33abe841c1ab5ea2e0189abce3aab6c98612191e99e8529cbb813ba290cf

SHA512
697ffcc1a536ee5e96f8d55ab5fba9f597a93fcb4902ac2524af5e8d55eaef78a21b1ab45151ee9b8cf27f2209d0646d81699ac6e06bdde5cee1a279af433561

Download Submit
C:\Users\Admin\svchost.exe

Filesize
78KB

MD5
86b5420f63fa6c7397ec63abed183017

SHA1
964f362a68d4e93dc44abc3e1295089dfde8f647

SHA256
7c8c33abe841c1ab5ea2e0189abce3aab6c98612191e99e8529cbb813ba290cf

SHA512
697ffcc1a536ee5e96f8d55ab5fba9f597a93fcb4902ac2524af5e8d55eaef78a21b1ab45151ee9b8cf27f2209d0646d81699ac6e06bdde5cee1a279af433561

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/684-160-0x0000000000E00000-0x0000000000E1E000-memory.dmp

Filesize
120KB

Download
memory/952-232-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/952-235-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1992-234-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1992-233-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2752-254-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3904-356-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-344-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-352-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-252-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-366-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3904-388-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4320-253-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4448-231-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4488-199-0x0000000000110000-0x000000000012A000-memory.dmp

Filesize
104KB

Download