Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 02:39
Static task
static1
Behavioral task
behavioral1
Sample
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Resource
win10v2004-20240412-en
General
-
Target
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
-
Size
5.1MB
-
MD5
8138900f54fbd723a5e8bf8a7ccbcefa
-
SHA1
8584a762a3c942e2acccf9629496844c5f9e915a
-
SHA256
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e
-
SHA512
7a105c1f9f1c9b5207c7b4a034afea28060ba6efc756648a727a0189f65ac33fa8de269c7419b6f57adbc08c7e78d60c16c507ae7f1a8076373dbec35ea741a3
-
SSDEEP
49152:9yfF9pFEftw3vYMkqecOCiQhxOsEzijUeukxEqtH+Nn1YufNaUYl5beRfbtG6N+b:9u83M9F1OmhdSEeRfbtrPL78T
Malware Config
Signatures
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe -
Executes dropped EXE 1 IoCs
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exepid process 4936 c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe -
Drops file in Windows directory 7 IoCs
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exec62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exedescription ioc process File created C:\Windows\INF\c_media.PNF c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File created C:\Windows\INF\c_display.PNF c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File created C:\Windows\INF\c_processor.PNF c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File opened for modification C:\Windows\svchost.com c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File created C:\Windows\INF\c_monitor.PNF c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File created C:\Windows\INF\c_volume.PNF c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe File created C:\Windows\INF\c_diskdrive.PNF c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Driver c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe -
Modifies registry class 1 IoCs
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exedescription pid process Token: SeManageVolumePrivilege 4936 c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exedescription pid process target process PID 3016 wrote to memory of 4936 3016 c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe PID 3016 wrote to memory of 4936 3016 c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe"C:\Users\Admin\AppData\Local\Temp\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeFilesize
2.4MB
MD5d9e8a1fa55faebd36ed2342fedefbedd
SHA1c25cc7f0035488de9c5df0121a09b5100e1c28e9
SHA256bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a
SHA512134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33
-
C:\Users\Admin\AppData\Local\Temp\3582-490\c62ede7ccc80aa8f5d01a5ce8d3ab71978125219745a54611847cad8db62f11e.exeFilesize
5.1MB
MD50c73778eb876529892d0daa4e249a683
SHA1ada19fe0a5aeec43e1afc145def245bccb849638
SHA256c4580334ca1eb51fc62a96aae3fc1576adcf0558dd3fbda96186d4230e2cb8e1
SHA5123b402a6afc2eecc63b1e1e8c08346052c861dba656c0bcd694cf8f3bec297102fd01c4be887fe5e96a69644ca2674b21c257b679661110969d436cd010d66272
-
C:\Windows\INF\c_volume.PNFFilesize
4KB
MD58b0c8f54383cef8ac91d3c21663b21fc
SHA10bc698df786a3396c58ecca34207a4c81985af10
SHA25641cef722ddac2159237cc6c4adc318e75d5b1159373d616e9bdd35f807d2280e
SHA51280a87ef617b5fb2e8ff1cc63b45d2f7f8a368da382bb9bf6d5863f83748f3ea1ade79c6ac7a0de8203d1d43eef01a603bfbc9d47a0d3b9fa56bd71b235c6c8b0
-
memory/3016-119-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3016-121-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3016-124-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4936-120-0x0000000000400000-0x000000000094C000-memory.dmpFilesize
5.3MB