Malware Analysis Report

2024-09-11 02:47

Sample ID 240525-x6ldrafg99
Target 2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya
SHA256 efe40ffa7aedbbe1644bc4fce61426ed59594743beac2a1da50820ab0d598987
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

efe40ffa7aedbbe1644bc4fce61426ed59594743beac2a1da50820ab0d598987

Threat Level: Known bad

The file 2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Detects executables containing commands for clearing Windows Event Logs

Neshta family

Neshta

Detects executables containing commands for clearing Windows Event Logs

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Loads dropped DLL

Modifies system executable filetype association

Reads user/profile data of web browsers

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-25 19:27

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing commands for clearing Windows Event Logs

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 19:27

Reported

2024-05-25 19:30

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing commands for clearing Windows Event Logs

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.242.123.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe

MD5 71b6a493388e7d0b40c83ce903bc6b04
SHA1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512 072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 3b73078a714bf61d1c19ebc3afc0e454
SHA1 9abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256 ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA512 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

memory/2468-103-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2468-104-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2468-106-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 19:27

Reported

2024-05-25 19:30

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_e1d06e90de3a3ab6203fb32f6000b414_bad-rabbit_doublepulsar_eternalpetya_neshta_notpetya_petrwrap_petya.exe"

Network

N/A

Files

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2328-80-0x0000000000400000-0x000000000041B000-memory.dmp