Malware Analysis Report

2024-09-11 02:56

Sample ID 240522-cjm9lsgh59
Target 69c586c536d93226497121655235e83cd1332e550ef110de0aad6a05a62008cc
SHA256 69c586c536d93226497121655235e83cd1332e550ef110de0aad6a05a62008cc
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69c586c536d93226497121655235e83cd1332e550ef110de0aad6a05a62008cc

Threat Level: Known bad

The file 69c586c536d93226497121655235e83cd1332e550ef110de0aad6a05a62008cc was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Modifies system executable filetype association

Reads user/profile data of web browsers

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-22 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 02:06

Reported

2024-05-22 02:09

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1364 set thread context of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 1364 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe

Processes

C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe

"C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe"

C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe

"C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe"

Network

N/A

Files

memory/1364-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

memory/1364-1-0x00000000012F0000-0x00000000013B8000-memory.dmp

memory/1364-2-0x0000000074D90000-0x000000007547E000-memory.dmp

memory/1364-3-0x0000000000550000-0x0000000000572000-memory.dmp

memory/1364-4-0x0000000000390000-0x000000000039C000-memory.dmp

memory/1364-5-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/1364-6-0x0000000005080000-0x000000000510C000-memory.dmp

memory/2856-17-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2856-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-15-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-13-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-7-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-11-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2856-9-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1364-28-0x0000000074D90000-0x000000007547E000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 b7c843620d233b8c30a6514860297225
SHA1 292e6dd68b24c7945c4d3fbcbff7458fd61fb7a8
SHA256 3b270fa3f72584ed8e7d4680a04dfad88219f042f05f6711b17f2a1e08d5d474
SHA512 e68e66578b5455da52aa55a3cdaef13ae9ba9ea0816d478213a82f60a9972de2eb3e9619d4db7cab2e7e97a92778203c7f606f4ba43eb13481b79db8c1561c28

memory/2856-101-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 02:06

Reported

2024-05-22 02:09

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3812 set thread context of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe
PID 3812 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe

Processes

C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe

"C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe"

C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe

"C:\Users\Admin\AppData\Local\Temp\att-19071817514.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3812-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

memory/3812-1-0x0000000000210000-0x00000000002D8000-memory.dmp

memory/3812-2-0x00000000051F0000-0x0000000005794000-memory.dmp

memory/3812-3-0x0000000004CE0000-0x0000000004D72000-memory.dmp

memory/3812-4-0x0000000004D80000-0x0000000004D8A000-memory.dmp

memory/3812-5-0x0000000074A90000-0x0000000075240000-memory.dmp

memory/3812-6-0x00000000051C0000-0x00000000051E2000-memory.dmp

memory/3812-7-0x0000000008890000-0x000000000889C000-memory.dmp

memory/3812-8-0x00000000046F0000-0x0000000004700000-memory.dmp

memory/3812-9-0x0000000006280000-0x000000000630C000-memory.dmp

memory/3812-10-0x0000000009940000-0x00000000099DC000-memory.dmp

memory/872-11-0x0000000000400000-0x000000000041B000-memory.dmp

memory/872-13-0x0000000000400000-0x000000000041B000-memory.dmp

memory/872-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/872-16-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3812-17-0x0000000074A90000-0x0000000075240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\att-19071817514.exe

MD5 bfb1f02f804fac8751a7e624ade46b4f
SHA1 452827701cc46243eb3654907388c3ca7e68c9e4
SHA256 0b6525fa60e909a86bff23f398f6fdf88d2d666901f39cc8fb4cc6800ca92dd1
SHA512 64cb56d1f67ec7527dd6d961732e7041ee26b8d3c7ae98638134f46597d326217dfd1ead22f0bcaaf7d7c910a9264259e7f0a5c43b183e64d99dc5ebd944836f

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 051424ac433bb5e99ffcca0bcb2ce96b
SHA1 3c9264fb7ace6e8ab2419514146aef075196d12a
SHA256 685c331ecc43805b2775995af5d865c8ac172d1543c97ad5d465e546f151197a
SHA512 1b92812777d9bf729988291eeff26ec7a7364cf8bcb02cb60cc8fb355367aae7d74c0f9a86f5965406545b64b9d41e65ad3f7178a00836bfd4b5bd768b9f31cc

memory/872-114-0x0000000000400000-0x000000000041B000-memory.dmp

memory/872-116-0x0000000000400000-0x000000000041B000-memory.dmp