Analysis Overview
SHA256
7cca4f23bd94e5cf9208a12bae1d251a38365c73a89322de96aae09be86f40bf
Threat Level: Known bad
The file aa1efe82b7a8462a234757d822dd2466.exe was found to be: Known bad.
Malicious Activity Summary
Sality
Neshta
Modifies firewall policy service
Windows security bypass
UAC bypass
Neshta family
Detect Neshta payload
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Windows security modification
Modifies system executable filetype association
Checks whether UAC is enabled
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
NSIS installer
System policy modification
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:37
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:37
Reported
2024-01-07 19:39
Platform
win7-20231129-en
Max time kernel
0s
Max time network
124s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Neshta
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe |
| PID 2028 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe |
| PID 2028 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe |
| PID 2028 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe |
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe
"C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2396-12-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2396-13-0x0000000001D80000-0x0000000002E0E000-memory.dmp
memory/2396-15-0x0000000001D80000-0x0000000002E0E000-memory.dmp
memory/2396-27-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2028-8-0x0000000002B00000-0x0000000002B54000-memory.dmp
\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe
| MD5 | 1ff4eadf86c36055b815504500b8770e |
| SHA1 | feb2673f6060bc3a31a6e145e280942cd73049ae |
| SHA256 | 49090474ef8191988c0b7e9673e981422bb526b7691dfc03c7a50ae500f6ceae |
| SHA512 | 23b1b3f1386858d04c912ed4bceb09c5c69a732699f2ba7384fd4fa2db6303c7678fef0239af7c291193e3101d042bd415bb492571c5b92e6a5170eb548ac2ea |
memory/2028-101-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:37
Reported
2024-01-07 19:40
Platform
win10v2004-20231215-en
Max time kernel
104s
Max time network
144s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Sality
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI8A19~1\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmpconfig.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13181~1.5\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MIA062~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3368 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe |
| PID 3368 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe |
| PID 3368 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe
"C:\Users\Admin\AppData\Local\Temp\aa1efe82b7a8462a234757d822dd2466.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\aa1efe82b7a8462a234757d822dd2466.exe
| MD5 | 729b18ffd039c5574b2d9685401f42c8 |
| SHA1 | 27ef6946fff89bf261b465a3364ca9b333fbadd2 |
| SHA256 | a2ca75d551c5143691815c7b61ee2d7baa469cc758bf25d4344dad852c7a2162 |
| SHA512 | 3fcf6cf454caab2b943e4c419c228d9db156e3ab42a8879b1b13bf21de925180086bea5ff7cb2cf504c32f596c68d3e4af548c6acea5537f55d6ea32e8fc1de9 |
memory/1436-11-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsl7C74.tmp\System.dll
| MD5 | 05e52213cfa17dee760186462a9645ed |
| SHA1 | f6d5e82080bbba65db7d54e89250c95af833aae3 |
| SHA256 | d9d3ffa4c7d7a152f435f4777e72aa1b6a6c0555f277e59eedebc587c3b66ba5 |
| SHA512 | 586eea0bec6345b437667ce528bc2396427dd444a396456e38046a8962e92a52e7ee62b9f6c97f41bc1fb4a1b3905a302d6f7055e26b84e60709ba3b416ad172 |
memory/1436-25-0x0000000002270000-0x00000000032FE000-memory.dmp
memory/1436-26-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1436-27-0x0000000002270000-0x00000000032FE000-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | 355cb9870b5f65da1d11eaa3e8f40788 |
| SHA1 | 6346a6d3aa55c39175c2bdaf67c0a89e8d383ab8 |
| SHA256 | 754d47f95ce671da871da32afa71fcf46868439e52e78e6eb29d085d5e2b141c |
| SHA512 | 080a738294554ec2906be6c6abc1d49750e936779e624e7550ee9a837912d89592adb089ac6e5eb938ccd71a48947cb8f79ed3227ddb4ea0d66d3f6ac9751374 |
memory/3368-98-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-114-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-115-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-125-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-126-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-127-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-128-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-130-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3368-131-0x0000000000400000-0x000000000041B000-memory.dmp