neshta | c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e

General

Target

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Size

5.1MB
MD5

8138900f54fbd723a5e8bf8a7ccbcefa
SHA1

8584a762a3c942e2acccf9629496844c5f9e915a
SHA256

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e
SHA512

7a105c1f9f1c9b5207c7b4a034afea28060ba6efc756648a727a0189f65ac33fa8de269c7419b6f57adbc08c7e78d60c16c507ae7f1a8076373dbec35ea741a3
SSDEEP

49152:9yfF9pFEftw3vYMkqecOCiQhxOsEzijUeukxEqtH+Nn1YufNaUYl5beRfbtG6N+b:9u83M9F1OmhdSEeRfbtrPL78T

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

Executes dropped EXE 1 IoCs

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

pid process

4936 c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

pid	process
4936	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

Drops file in Windows directory 7 IoCs

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exec62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description	ioc	process
File created	C:\Windows\INF\c_media.PNF	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File created	C:\Windows\INF\c_display.PNF	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File created	C:\Windows\INF\c_processor.PNF	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File opened for modification	C:\Windows\svchost.com	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File created	C:\Windows\INF\c_monitor.PNF	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File created	C:\Windows\INF\c_volume.PNF	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
File created	C:\Windows\INF\c_diskdrive.PNF	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

Modifies registry class 1 IoCs

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description pid process

Token: SeManageVolumePrivilege 4936 c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description	pid	process
Token: SeManageVolumePrivilege	4936	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

description	pid	process	target process
PID 3016 wrote to memory of 4936	3016	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
PID 3016 wrote to memory of 4936	3016	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe	c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe

C:\Users\Admin\AppData\Local\Temp\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
"C:\Users\Admin\AppData\Local\Temp\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\3582-490\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Filesize
5.1MB

MD5
0c73778eb876529892d0daa4e249a683

SHA1
ada19fe0a5aeec43e1afc145def245bccb849638

SHA256
c4580334ca1eb51fc62a96aae3fc1576adcf0558dd3fbda96186d4230e2cb8e1

SHA512
3b402a6afc2eecc63b1e1e8c08346052c861dba656c0bcd694cf8f3bec297102fd01c4be887fe5e96a69644ca2674b21c257b679661110969d436cd010d66272

Download Submit
C:\Windows\INF\c_volume.PNF
Filesize
4KB

MD5
8b0c8f54383cef8ac91d3c21663b21fc

SHA1
0bc698df786a3396c58ecca34207a4c81985af10

SHA256
41cef722ddac2159237cc6c4adc318e75d5b1159373d616e9bdd35f807d2280e

SHA512
80a87ef617b5fb2e8ff1cc63b45d2f7f8a368da382bb9bf6d5863f83748f3ea1ade79c6ac7a0de8203d1d43eef01a603bfbc9d47a0d3b9fa56bd71b235c6c8b0

Download Submit
memory/3016-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4936-120-0x0000000000400000-0x000000000094C000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads