neshta | b81ebbf80b7d08706abef17034eaf5ef28b642acb41bf972f1ade452ff741f30

General

Target

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
Size

804KB
MD5

daf5ddf2a53dde0a2398973fc6ac93e0
SHA1

a225fec587cb4763eba40943c88396a86e74c6c4
SHA256

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d
SHA512

19d4ed705cb2550c9a5bf6f8ca0c5800c166ee20a64a401eff46b284c39ed5a8b1ed6838513379c60eae18d53e0d7e4dc0f43857b815c9c138664f6dd5bf738c
SSDEEP

12288:zENN+T5xYrllrU7QY6/5xYrllrU7QY6vaLo3K3ahaMcqDJXKuJUsENN+7:Z5xolYQY6/5xolYQY6UomahakN6uJUs

Score

10^/10

neshta evasion persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 2 IoCs

Processes:

resource	yara_rule
\??\c:\users\admin\appdata\local\temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	family_neshta
behavioral1/memory/2588-153-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2588	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2540	icsys.icn.exe
2684	explorer.exe
2324	spoolsv.exe
2428	svchost.exe
1944	spoolsv.exe

Loads dropped DLL 15 IoCs

Processes:

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exed4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

pid	process
2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2540	icsys.icn.exe
2540	icsys.icn.exe
2684	explorer.exe
2684	explorer.exe
2324	spoolsv.exe
2324	spoolsv.exe
2428	svchost.exe
2428	svchost.exe
2588	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2588	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2588	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

Drops file in Windows directory 7 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exed4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\svchost.com	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
2540	icsys.icn.exe
2684	explorer.exe
2684	explorer.exe
2684	explorer.exe
2428	svchost.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe
2684	explorer.exe
2428	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2684 explorer.exe
2428 svchost.exe

pid	process
2684	explorer.exe
2428	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2540	icsys.icn.exe
2540	icsys.icn.exe
2684	explorer.exe
2684	explorer.exe
2324	spoolsv.exe
2324	spoolsv.exe
2428	svchost.exe
2428	svchost.exe
1944	spoolsv.exe
1944	spoolsv.exe
2684	explorer.exe
2684	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2872 wrote to memory of 2588	2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
PID 2872 wrote to memory of 2588	2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
PID 2872 wrote to memory of 2588	2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
PID 2872 wrote to memory of 2588	2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
PID 2872 wrote to memory of 2540	2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	icsys.icn.exe
PID 2872 wrote to memory of 2540	2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	icsys.icn.exe
PID 2872 wrote to memory of 2540	2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	icsys.icn.exe
PID 2872 wrote to memory of 2540	2872	d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe	icsys.icn.exe
PID 2540 wrote to memory of 2684	2540	icsys.icn.exe	explorer.exe
PID 2540 wrote to memory of 2684	2540	icsys.icn.exe	explorer.exe
PID 2540 wrote to memory of 2684	2540	icsys.icn.exe	explorer.exe
PID 2540 wrote to memory of 2684	2540	icsys.icn.exe	explorer.exe
PID 2684 wrote to memory of 2324	2684	explorer.exe	spoolsv.exe
PID 2684 wrote to memory of 2324	2684	explorer.exe	spoolsv.exe
PID 2684 wrote to memory of 2324	2684	explorer.exe	spoolsv.exe
PID 2684 wrote to memory of 2324	2684	explorer.exe	spoolsv.exe
PID 2324 wrote to memory of 2428	2324	spoolsv.exe	svchost.exe
PID 2324 wrote to memory of 2428	2324	spoolsv.exe	svchost.exe
PID 2324 wrote to memory of 2428	2324	spoolsv.exe	svchost.exe
PID 2324 wrote to memory of 2428	2324	spoolsv.exe	svchost.exe
PID 2428 wrote to memory of 1944	2428	svchost.exe	spoolsv.exe
PID 2428 wrote to memory of 1944	2428	svchost.exe	spoolsv.exe
PID 2428 wrote to memory of 1944	2428	svchost.exe	spoolsv.exe
PID 2428 wrote to memory of 1944	2428	svchost.exe	spoolsv.exe
PID 2428 wrote to memory of 2576	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 2576	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 2576	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 2576	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 1188	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 1188	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 1188	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 1188	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 1900	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 1900	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 1900	2428	svchost.exe	at.exe
PID 2428 wrote to memory of 1900	2428	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
"C:\Users\Admin\AppData\Local\Temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872

\??\c:\users\admin\appdata\local\temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
c:\users\admin\appdata\local\temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2588

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\SysWOW64\at.exe
at 12:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:2576

C:\Windows\SysWOW64\at.exe
at 12:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1188

C:\Windows\SysWOW64\at.exe
at 12:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1900

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

5

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
206KB

MD5
f2872915e8e25fe162e1f2001411a6bd

SHA1
dfc8ee7d8ac71ffb9e50f497068b6cc5339ccd2a

SHA256
9de96fbf380d228bb3e02860aeab04ad62c78978deab132bcb834ef2f833bfb5

SHA512
ea5ba2550ea3cab404c7e2cd73c201f71703d34918e39468cefac41df496afa253e116c8ae44d463db8f3c13c44e5953158ed467ca654e990a877d0dc45aebb4

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
207KB

MD5
9cba4eb509b31ac86c81aa93d5ce8173

SHA1
ef9e0df306def1dd41a10f0037abd0c238faa250

SHA256
23ecde6debc3fecb8275a3e8b232f5c242d7332bc00b64ab5155f3cb90e15626

SHA512
dc28e89eabf4bc966e1f1451aa2c444b451b7ff9f295049ff26e14c99fc9e9ff5164d2a29e99e614fdc4a19fd470b03d51fde9279d573d2a7ae4b78587b2ecd7

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
206KB

MD5
198c430dba40794b2af33c9fa2faca8e

SHA1
b7b8000f580564f9a579a938aaabe53c5e2118b1

SHA256
b505cf8e4cd9bcd4f1fe733e2dce0f1b4377d563d1ec8a51bd80657e8ea3b711

SHA512
936fa92afd547b9f4edd245a896bb4cffda4fb91aa3904d41a5d3e155126bbaa412638b4467b426d7a0d96abe71872d400f14b0ee4f546fd1ab23c5490a20946

Download Submit
C:\Windows\system\svchost.exe
Filesize
206KB

MD5
ded2dbe9e7aa8fcafecaec53b4f50815

SHA1
fc91dd8b8f8377aacdff5f365f3f5b7b31535a1e

SHA256
5d200477ca0d2b34a166da3dbc694434db7590bdabafcf6b49192de05e96c300

SHA512
ea0d3e3a4678309d10ca7e148c09d8803c1ad98cc7d6666a2d7f012c452205f2b53f34c3f58893b5963a3eeeaf4207d327930f2b759e6203b6fae69b36a4815b

Download Submit
\??\c:\users\admin\appdata\local\temp\d4ff62f78b546c2e181f819abc1f17736ba27c6630118f6d6f772b7d34d5334d.exe
Filesize
598KB

MD5
e0d1b214c3901f72582de29380ad0f11

SHA1
8b3a505c4e6195fd2eb2522191a8ea8eee2a248c

SHA256
c7971981baf58b28fa5cfd06112caf63f63667eece0ac563e5082a6a28533c18

SHA512
0f340c05a8d68536113bedf586060cc5223b5bd3cfc88dc6942da150b88246e3bb656b145a9e64cf2520dd848428ca314f1d60f0914d58e026f1715a8f38371f

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Windows\system\explorer.exe
Filesize
206KB

MD5
cbe70224477b3ccff130c9c6c5d2a851

SHA1
1cdcf42b2ee3b105eb4b8ff35ca6ad6e61d03bf9

SHA256
dffb2ea9e8dd1c3d9158ed82992eb9a65d1dc8c63b4bf5310de6748d601ac6e0

SHA512
43fa03f66c2e180b89cb79cb262ba92a7c298f07271ecd638b6178afe3380ae6f9d0d89b7e46e38ea4f99905722f0c961276469884bb8c88923284d4ccd7d3d3

Download Submit
memory/2588-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads