neshta | 75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9

General

Target

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
Size

728KB
MD5

2f8cf1eacce33f87429c022d57a1ebea
SHA1

a9ebe3f2e6de49eda0493cbae362d2b033461243
SHA256

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9
SHA512

54f9afe991c68b7083db5e4b514bfa693a63e1d4d40f94d0d4e95b0a545252bffb3acb8a38f84621cadfb7aa1126a91d579cddef254a2f4b318450e3f9af8f18
SSDEEP

12288:mtOoZILRpev2DcHXpER+tNEty+8vzCxrml3bREqKzztrXWqahU5/R7tOjaAqVh6g:muJD+XqRuKtsbCxKl3b2qkhWRi/RBOja

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3480-39-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3480-37-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3480-49-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3480-51-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3480-195-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3480-197-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1920-9-0x0000000005420000-0x000000000542C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

Processes:

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

description	pid	process	target process
PID 1920 set thread context of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

Drops file in Program Files directory 64 IoCs

Processes:

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

Drops file in Windows directory 1 IoCs

Processes:

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

description ioc process

File opened for modification C:\Windows\svchost.com 75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3624 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

pid	process
3624	schtasks.exe

Modifies registry class 1 IoCs

Processes:

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

pid	process
4324	powershell.exe
1288	powershell.exe
1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
4324	powershell.exe
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exe75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

description	pid	process
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

C:\Users\Admin\AppData\Local\Temp\75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
"C:\Users\Admin\AppData\Local\Temp\75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fxIsxsw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxIsxsw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E6C.tmp"
2⤵
- Creates scheduled task(s)
PID:3624

C:\Users\Admin\AppData\Local\Temp\75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
"C:\Users\Admin\AppData\Local\Temp\75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe"
2⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
"C:\Users\Admin\AppData\Local\Temp\75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe"
2⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

Scheduled Task/Job

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
Filesize
328KB

MD5
663ed8b7c46f3b72587318e591f4a361

SHA1
c44d4014b06be83fadaa9c5a47ce00b18af69969

SHA256
5517b70a239e535f85a736e87c5deddec7dc48cb661cb042c51856d24abcd337

SHA512
274a4d9707c66acb916e1fdaeded258319dff6e334242534bd19a6324766985a5c145cc65097020302029c2957b8534f10bbadb1ba1c6d0a59500b013b9a0afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
dced8038daabfeebbc4193f99b75f3a8

SHA1
8513ee8d843ac5756c80bcea21940005a56eab4a

SHA256
70efe735b5c18c4f0de5a4a957d99c2937794e9e679695d2f622bf7a2d30e258

SHA512
a2b9dd95fa97b435b89d268c7188d3ff2c2e83021441f21bd1567413577cf5b2209d34456639a1527281e6b5a7fe330ecf8d9968cf7cc8e6502e93b1d2e2e32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
Filesize
688KB

MD5
311fc7d3b1c40b9d54449b4438aec966

SHA1
9ade2bc2022780482f48903261241951561ca1ef

SHA256
c5aac26124429fbf9712105ffae772d81190c6af63d241c92e0432f96da25f58

SHA512
81545eca187040fd181c62312cc8c29c4b51cacf8ff350b124caa2cb49034068b5e34dbe43aef79968ff735f5892049a1d6e5ba484cc4bc1d69eef0bd9f27e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzh35egv.pmi.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E6C.tmp
Filesize
1KB

MD5
613a993d84134b6390a3b9dd395aa2fd

SHA1
ff1d15fa295c71b14d3090ff49e49cf80a28a04f

SHA256
650b3519a51330b0b3932df5cbe9ca3b04badce3aa862c8164f863ea7aea0219

SHA512
9d199131f89771aacfeea12d8ce9e283bb76f5f258ff45db5279a41451fd39e0608b93fba785544c82297cb6b31b7a046d859a91e52b1c7001f72aeec7c1e2a9

Download Submit
C:\Users\Admin\AppData\Roaming\fxIsxsw.exe
Filesize
728KB

MD5
2f8cf1eacce33f87429c022d57a1ebea

SHA1
a9ebe3f2e6de49eda0493cbae362d2b033461243

SHA256
75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9

SHA512
54f9afe991c68b7083db5e4b514bfa693a63e1d4d40f94d0d4e95b0a545252bffb3acb8a38f84621cadfb7aa1126a91d579cddef254a2f4b318450e3f9af8f18

Download Submit
memory/1288-16-0x0000000005300000-0x0000000005336000-memory.dmp

Filesize
216KB

Download
memory/1288-18-0x00000000059A0000-0x0000000005FC8000-memory.dmp

Filesize
6.2MB

Download
memory/1288-107-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/1288-90-0x0000000007880000-0x0000000007923000-memory.dmp

Filesize
652KB

Download
memory/1288-64-0x0000000007830000-0x0000000007862000-memory.dmp

Filesize
200KB

Download
memory/1288-108-0x0000000007C50000-0x0000000007C5A000-memory.dmp

Filesize
40KB

Download
memory/1288-65-0x000000007F0F0000-0x000000007F100000-memory.dmp

Filesize
64KB

Download
memory/1288-17-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/1288-19-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/1288-106-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/1288-193-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/1288-66-0x0000000070E50000-0x0000000070E9C000-memory.dmp

Filesize
304KB

Download
memory/1288-22-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/1288-76-0x0000000007810000-0x000000000782E000-memory.dmp

Filesize
120KB

Download
memory/1288-25-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/1288-26-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/1288-82-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/1288-175-0x0000000007F20000-0x0000000007F3A000-memory.dmp

Filesize
104KB

Download
memory/1288-171-0x0000000007E20000-0x0000000007E34000-memory.dmp

Filesize
80KB

Download
memory/1288-139-0x0000000007DE0000-0x0000000007DF1000-memory.dmp

Filesize
68KB

Download
memory/1920-9-0x0000000005420000-0x000000000542C000-memory.dmp

Filesize
48KB

Download
memory/1920-0-0x0000000000750000-0x000000000080C000-memory.dmp

Filesize
752KB

Download
memory/1920-52-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-11-0x0000000008DA0000-0x0000000008E3C000-memory.dmp

Filesize
624KB

Download
memory/1920-10-0x0000000005E80000-0x0000000005F0C000-memory.dmp

Filesize
560KB

Download
memory/1920-8-0x0000000005400000-0x0000000005408000-memory.dmp

Filesize
32KB

Download
memory/1920-7-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/1920-6-0x0000000005530000-0x00000000055D8000-memory.dmp

Filesize
672KB

Download
memory/1920-5-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/1920-4-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1920-3-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/1920-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/1920-1-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/3480-49-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3480-51-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3480-197-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3480-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3480-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3480-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4324-63-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/4324-176-0x0000000007420000-0x0000000007428000-memory.dmp

Filesize
32KB

Download
memory/4324-128-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/4324-94-0x000000007FB50000-0x000000007FB60000-memory.dmp

Filesize
64KB

Download
memory/4324-169-0x0000000007330000-0x000000000733E000-memory.dmp

Filesize
56KB

Download
memory/4324-104-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4324-43-0x0000000005860000-0x0000000005BB4000-memory.dmp

Filesize
3.3MB

Download
memory/4324-62-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

Filesize
120KB

Download
memory/4324-23-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/4324-20-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/4324-21-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4324-194-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/4324-105-0x0000000004840000-0x0000000004850000-memory.dmp

Filesize
64KB

Download
memory/4324-93-0x0000000070E50000-0x0000000070E9C000-memory.dmp

Filesize
304KB

Download

description	pid	process	target process
PID 1920 wrote to memory of 1288	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	powershell.exe
PID 1920 wrote to memory of 1288	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	powershell.exe
PID 1920 wrote to memory of 1288	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	powershell.exe
PID 1920 wrote to memory of 4324	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	powershell.exe
PID 1920 wrote to memory of 4324	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	powershell.exe
PID 1920 wrote to memory of 4324	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	powershell.exe
PID 1920 wrote to memory of 3624	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	schtasks.exe
PID 1920 wrote to memory of 3624	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	schtasks.exe
PID 1920 wrote to memory of 3624	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	schtasks.exe
PID 1920 wrote to memory of 3084	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3084	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3084	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe
PID 1920 wrote to memory of 3480	1920	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe	75854947a6a21c6fdacee3b080ad9f9c8c86546b54410a968d6f09c23e5d00c9.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads