neshta | b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 02:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
Size

2.8MB
MD5

65629f9586b9877d539cc8fda3d3d093
SHA1

974d6e5ac35a8f65e65eceebd1b554e2e6ad0d84
SHA256

b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc
SHA512

ddcedf405c5db1879b33d13bbe3d7a6b592ce2623e8fdde7bfd7c3c4ebdaba9fc6203e1772108431bd0088c42deb26171e2f1e9823b4b7344bf356351f1ec12f
SSDEEP

49152:V9dkLlk5IdyI7955PDqIYm3bRYa20VccHxScgsQrUF7bWmIcohoHU+FH:Lkq5uv79rPQmrGaxTgsQrGWmIcohoHjH

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000100000001030c-10.dat	family_neshta
behavioral1/memory/2500-203-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2500-205-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
2524	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Loads dropped DLL 3 IoCs

pid	Process
2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2524	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
2524	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
2524	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2752	2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	28
PID 2500 wrote to memory of 2752	2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	28
PID 2500 wrote to memory of 2752	2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	28
PID 2500 wrote to memory of 2752	2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	28
PID 2500 wrote to memory of 2752	2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	28
PID 2500 wrote to memory of 2752	2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	28
PID 2500 wrote to memory of 2752	2500	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	28
PID 2752 wrote to memory of 2524	2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	29
PID 2752 wrote to memory of 2524	2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	29
PID 2752 wrote to memory of 2524	2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	29
PID 2752 wrote to memory of 2524	2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	29
PID 2752 wrote to memory of 2524	2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	29
PID 2752 wrote to memory of 2524	2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	29
PID 2752 wrote to memory of 2524	2752	b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe	29

C:\Users\Admin\AppData\Local\Temp\b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
"C:\Users\Admin\AppData\Local\Temp\b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\3582-490\b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\f761120\b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe
    run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\3582-490\b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\f761258\Load.html

Filesize
2KB

MD5
1757c2d0841f85052f85d8d3cd03a827

SHA1
801b085330505bad85e7a5af69e6d15d962a7c3a

SHA256
3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35

SHA512
4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f761258\common\js\common.js

Filesize
45KB

MD5
87daf84c22986fa441a388490e2ed220

SHA1
4eede8fb28a52e124261d8f3b10e6a40e89e5543

SHA256
787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23

SHA512
af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f761258\common\js\external.js

Filesize
36B

MD5
140918feded87fe0a5563a4080071258

SHA1
9a45488c130eba3a9279393d27d4a81080d9b96a

SHA256
25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6

SHA512
56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f761258\common\js\jquery-1.11.2.min.js

Filesize
93KB

MD5
5790ead7ad3ba27397aedfa3d263b867

SHA1
8130544c215fe5d1ec081d83461bf4a711e74882

SHA256
2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

SHA512
781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f761258\config\config.js

Filesize
5KB

MD5
34f8eb4ea7d667d961dccfa7cfd8d194

SHA1
80ca002efed52a92daeed1477f40c437a6541a07

SHA256
30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d

SHA512
b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\f761258\config\installparams.js

Filesize
533B

MD5
1d08645ffa39d1b668ac46d1212382e4

SHA1
ab74391f59cd2531f846baeb9f8af59ac1b9420b

SHA256
3d6a4ca11b5c4c73edc19dda426f5cfe9028ace4479f7ea5e6bf643b0ac0497e

SHA512
67341e81ca3a51aeead9bdba9f218f1bcd90733ac16b91f196a4f3c842ce98b37cc228385cf8b6d30bcd3e0d66d72199e83ba31bdd75b201f41ae0d28f6a58d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f761258\config\stubparams.js

Filesize
37KB

MD5
91f6304d426d676ec9365c3e1ff249d5

SHA1
05a3456160862fbaf5b4a96aeb43c722e0a148da

SHA256
823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b

SHA512
530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\b67316b1f7c919879dd760812cda90032bd9667aa6600647a3c65e4f7ab9e6cc.exe

Filesize
2.8MB

MD5
393c29eac3a719563b1e85dd2d61f607

SHA1
357a1c95d21563177d64f59f8dd65c0206ab6ae9

SHA256
302e37f647870647d0cb49ce11df7bdb14b311402a58c6c962b58a5fad7ab0d2

SHA512
9a8c1c220be34323a194317061e55fc5983ff7371dae8ab8a4ae53964132c3c27a70b0c1929fd6cd943c20ac9b085191a4b7ead46264aaf303ca785a079d9be9

Download Submit
memory/2500-203-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-205-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads