neshta | dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6

Analysis

max time kernel
143s
max time network
140s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
Size

1.8MB
MD5

eb05e6c9605f07bd1273cae32a63e651
SHA1

e4501f6e52f156bb7abdfde445ea8150f6b5b70c
SHA256

dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6
SHA512

60d052646156421b0eb668a7bd45bc16c9e7c87ef9561223c3119f259773a2c0bc408ee3824578daa998c081421192b85e92f4508d765d675a897f455cfe31a3
SSDEEP

6144:k9WN/ycwcZIp5rW65DyH5pIWgIWkAOUs70ha2xcU2mZK6K8p:vIcKp5P+t+s7R2xcU2EK6Kg

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010323-10.dat	family_neshta
behavioral1/memory/1900-87-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1900-562-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1900-563-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1900-565-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 1 IoCs

pid	Process
2360	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
1900	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a529a2e22ae42f4084bf8a2f7b0415b200000000020000000000106600000001000020000000c6c4308d77a9f88d0a7fbf8167e20b7d499ef485ca11c29387c3da9b2605a046000000000e80000000020000200000005711c12b83da5e54ade1b9bdad40eb1badaec4f038b9f1631638a8d2803d85e120000000d3ec4604550347cc669e6c04293980e39b3b93a4017297593ce6a409d4de75474000000037d497ec2ea2dda9e15bc82d3ddb0425349ca90ef9805e8472c48c1ad1d7bff777255c91a1f3197bad0070e9129460571f09573b857aa59f0edacb6093c20c5b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f56b228d87da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418506154"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BEB18B1-F380-11EE-B6C6-569B02648541} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a529a2e22ae42f4084bf8a2f7b0415b200000000020000000000106600000001000020000000920d426852a765e039c5c77945b63c537cddbcfa48c988459af24cf20efc9e66000000000e80000000020000200000003c93271bd754098471e02ffe2bcbcca3d6891ecf97c457e8559870f3bef9217490000000eb0a8944d3f64ca7dcd258505c7a9ff9a974e4cbb6a80474f05dd9411c3cd9451055098124685a2f1b11c6d57bbe856e3c42c627dc16d6e3d2bfb8a2456545fdc0415d2fe7ef34c90d1d77004f632ac54521926eeeba7d119fa2e620f785134473062b257f84148277ba20f4926736c7d3f44f11096c9d299240eeb593fb7afafb1f3ccf0ae824814ba3866436ffb9bf400000005281b64581f67237cbc33cff1a2b254164e5cc155aeadae4d48b21a203bfc9cde19732e4a96dcffb7926b89d680d4dec891557ce000b1cb2a55167e692cfaa58	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2500	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2500	iexplore.exe
2500	iexplore.exe
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE
1528	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2360	1900	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe	28
PID 1900 wrote to memory of 2360	1900	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe	28
PID 1900 wrote to memory of 2360	1900	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe	28
PID 1900 wrote to memory of 2360	1900	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe	28
PID 2360 wrote to memory of 2500	2360	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe	29
PID 2360 wrote to memory of 2500	2360	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe	29
PID 2360 wrote to memory of 2500	2360	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe	29
PID 2360 wrote to memory of 2500	2360	dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe	29
PID 2500 wrote to memory of 1528	2500	iexplore.exe	31
PID 2500 wrote to memory of 1528	2500	iexplore.exe	31
PID 2500 wrote to memory of 1528	2500	iexplore.exe	31
PID 2500 wrote to memory of 1528	2500	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
"C:\Users\Admin\AppData\Local\Temp\dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\3582-490\dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://line.me/download
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0d66ec54b9dd59d99f765e9fe58b49bc

SHA1
bf8321f26c860b96c5a8b20aca94f45d82e31726

SHA256
4296042c7145bd55f6fce0eb54af9711c737a956f6bde15fb06440c0a92c21af

SHA512
157922435dac7ddb3f422ae6e640aedfb26a6801d24d73a00cc78a01762da49452fd4b99f6acd86376a1318c836c15e3ec85d67e7b93ec154911f36edc6486e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dcaecb98528162ba95d80c13808605f3

SHA1
ceae92b39b72d9ea5f832160d25c38aade1d3012

SHA256
d509ba400e75e13826f277eec752862870c5dc88a59d85676700c57c3337a33d

SHA512
92d30b86ccd80a05da58dba9c1ab8cccd4a180ceea6d7f833413ae8eae66c51762d900cf6d33231a80579b29edca7e80ffa9914b85742966c5ce1d1c30baa40a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5207d61859519b5ea1440243aad7bcb1

SHA1
f32d4b17624f7472184029ca5f1746b387fefff0

SHA256
4cc930cd59916a8902a98b652c956bcc59566cdcd46538501708a4d51de58bf2

SHA512
106bb1f1e62afa830a6e4f60a798811e9f3d5e832c914cb8f546a457e742a78c5c56706d99aad077d3f7e3cda0c8bdba75450942fbaa340a206e572088cae6ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f5e98382bec072464330c8e645c7e40f

SHA1
abe879440bf56003c64e32b1cac502ec2dbc5506

SHA256
0e1b8080aef6ee0ca865c17464ea3811264e5c4e3bc1c7e982c229dbb81ba829

SHA512
7d2a0ad94c87b1f6c5f3799080c12a35e9d829f075ff4c033915f4e49a6ce9f4b7f9e02930e9fc799fc5921345098b09b5f60325f30a7ddbb6a827510384fe52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6d65367fdcb6c312976f76be14f6c790

SHA1
da0445a5d624177a4d649cc6724c2f6accdd4aa0

SHA256
919960216f38bd9309cb9cf6120adf2f06d2d807e1e9f85a42937535f8f87b2b

SHA512
fb1ab4e107ac37c91010eb1397a0fc24937de6fa0ef2bebdb04c4ecb3404e82f8ada86bbfd92656fc90f59dc4ff50409dd21ffb58e02154c6ebe1d191a133a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
54fb3b73c0f53567a67a627e4a202005

SHA1
a31eb961e355e85f4084928b07e12e868242c2f6

SHA256
0c668af460c2797f88da4179257bb508211aa823464add1ad203746bac0b6101

SHA512
3d51ddc6c3931afcff3406af8bf6b080395a1c84d736aae61b26dfe940ad6ebdeeec443a893f002651766d54f737cae8e89ebecdd5a0bd535a31cb520d1ff9bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
924c7098d4401b6e3d79d5f9806eefdc

SHA1
851e41c30b75059946073141ff9a6ef0e0193390

SHA256
79cecbf808facbc68339a97eea89cd7719e98dbe4573366787039d9442a68bdc

SHA512
52e497b35a90ebfa121b11c9beaddfd76e2f0b4365ebf5a79d645e696e46369804460b98cb1638bf19e1968b44547ac895e6c831256a1c537d614c698baee79e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
92d982cd65dcfe7bc853bb6af910d0f9

SHA1
1fcc1e17c6a4f64efae18c84d01dc204bb1f18d9

SHA256
bf32e83427ac58413ce5a57137d851275a53b3aac9237fdf54360996fe279502

SHA512
689f8c0e7ab040eab1f7243656774c29d0d97ecaa5ff706b9a657ff918a8b517fef03d5b20285e11069798123b07fcdc1f1b3d89a77085aa037b351ce401606b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
36fcc34bda94e7420939b68ad94f7d2f

SHA1
eac12a833b7ec85e530181fa64c3dafe6c450bfe

SHA256
cd851514c5e8b1bfcd29e1644ccba62c4b3693fb185f827e6802cd257636a6ca

SHA512
c7b54cd88037d2e93f01d2b01fb823489afcb74f065f954999c86e2187b4065b33f0dcdb66cbf84004deccf3bf7ddcd99b3e8e81bfb4db306b5568d65cc584de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f476ccf5a864f03ef59f639e5ccd592a

SHA1
d61c700a0122fee0457b773c59ecfc344faa2d02

SHA256
ca9ee5d085b6408e32a6ab99d165d3b67fef49eb985d3a34755306c55e98a830

SHA512
d484e54b6568d367264bd5628f19efc7b39150600d646ec32c58d5216b5ae24d5b74d4f085cda0f38a355159e14a41d12d90474cf29563b1ea4c4f89c92040cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9cbf2c2ea4812515acbb91db74a167ad

SHA1
2febbad0da4dcbb9607828fb21188f4fdc2b0fb3

SHA256
dda31b7f07a33fa4d9358300fe45d2c677c2a53e787aa562138b00bc44958388

SHA512
dda6560d925de2fd1b01e5b744fadd3fcbcd0a7bd77478dc4ca0496e75381f768128c7eda08ad38bf72341e15411e6a8961e5890efa8a097578431c2f545b8dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6a268890891408acc1e3cc202eb326c8

SHA1
ac1549609b75f6a05fb8f89def1b607419ef63b5

SHA256
0127ad5ef4bdece48472ad046aecc46903236bab70175c7106fb81f8a23df4a5

SHA512
1bca3c6139ade4ead3f9ea6df2334e6b58773a4c6234176db92794aef9035e808a0ac1543a766cbcf9a7f4560d83be7876f566a497739438e07303f56dc1d7cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c5a1e7530b3d93bd48833bb27170cdbe

SHA1
0b8f2b2c7bfbf324c7ac59d7f58161e821181362

SHA256
3878945ce309800e3594fec194cb17d306d992f0870a87ca219773c75521046f

SHA512
d723e81f666682907ab661ee6ca9b3ca86b823c17e421e386385638156440c7a6c051487be73a361d6514ed805a8ee0958cbd2748774b8551ccda8c9861ccbef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
96e286cfc519e06b9d96c4631c240adc

SHA1
47db9ec4ecc0673827722aeddf9cd45874443d77

SHA256
aef6f87dc0a839a27c34ce65a1bfe9fa652c7f3e229a774d37a2642c587c2803

SHA512
71a44617fba72e4838597ad6429c1d99740cd3744171bce6565bcea39727130233e33f16a5f29a84c0a66ff11c27797c42e04ff4808321a5f2053ed8eea251cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d2ed413c43966eac3292ad8914706ade

SHA1
af3e4123054bc5a2178694bcd60d507a25471c94

SHA256
3ba7852e5f3cdce6f446585086a44564304382693b1acb19349ff94b61624295

SHA512
591648bb19f9f32b61d49634b1970a494a0ad91bcc78e0d70a242d57cea413e6d7096de425b77a57a86e8b65d0acb22df719541a67ceae82a2f3d637edddceed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
cbb7c0acc35e7ffeb83280b5284493e2

SHA1
411ed96ee47bf3012934a56d9edcd771efca05cd

SHA256
2c4cff1a387ae51c153a92d91d77c647e8af81131be53c33b47b95f42bd6812d

SHA512
7eff6d41c521aacc1d1706b1368f00b6273a452cc4bc9ff87d7c5aa3dea73487e42ccc88c66c70c31e8fa3d3addac2486cbf12271314a04ec1cf821fe9e595e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
bc866cd3e229d9359debf08437c7a8ad

SHA1
cd8c23adc5f3d96bab441afa0f2be88e237346cf

SHA256
ec0b56d9fb1c543b0272d9592a78d3f311d5da2c2093aa6f8a29200a25c0d4b1

SHA512
0ac0909df582b3e9e3d74b5e77f112453dbb70e4aaea3c1871220f8dbeb39e2c8180845eefd966e9e754b45b3e398cc1c50516e8875e672124a9169815e13fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d3eb751f3ef157fc56535f7f3ac1ea39

SHA1
74beaa4488d5287a32af1dc478652565bc5e1715

SHA256
a5b5a5dc960340490e808b49c2867d811ac701b48dd79924d03f7e945a88c684

SHA512
4e703e1bf85e0a4eaa69024257223d7577dfe9167474065b90e6ee524a22115de82431daa7bc767fdbb8fcc272501dc7fe1551b8242479345974bd3299a03054

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ae1ef3706a293d085bf26e10fb6208d2

SHA1
996e665516751ebc87c7bb2f63820463092a56e8

SHA256
48bbae71801e2dc606684836d433ca44a6586618cc23178ca3287fce41ea802d

SHA512
f3ff33b7480052f6171e6f6b4d0baac9d09dcbfaa4a3b2086ff0757af899baef419c63a0b2799453e6b8d59ba3b2841310637b303994f4aa564955677acaec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab737E.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab744B.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar748E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\dcfa407d3bdc09aadf1641835ad17947cc73b80d06373bc929fe3d3d759dabb6.exe

Filesize
1.7MB

MD5
d1be18f344199cd580adf499a0c99a2b

SHA1
63fb7292871711c00c7bc355bcbcf02e95f9085b

SHA256
a6b90489a1b03296156d62a24d5296f97182c5478035ed66c09d40525ac0ebf9

SHA512
1fab241199e69ec855ec352b9f8b19361311b9328b9aa0f2dc31273e5193d319821a6efdffc47dd5682e8c0fb2d5c0496fe5310c7ea8811b7c6dcf83051f66d4

Download Submit
memory/1900-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-565-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-563-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1900-562-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads