Malware Analysis Report

2024-09-11 02:46

Sample ID 240531-jmkffsce38
Target MBPL-20241005_0001.exe
SHA256 1dbfb91bb378374fbc436b301cc481f6b32c53cfcb5dd3c3ab1eee2460e4bafe
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dbfb91bb378374fbc436b301cc481f6b32c53cfcb5dd3c3ab1eee2460e4bafe

Threat Level: Known bad

The file MBPL-20241005_0001.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Checks computer location settings

Modifies system executable filetype association

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-31 07:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 07:47

Reported

2024-05-31 07:49

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1688 set thread context of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1688 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

Network

N/A

Files

memory/1688-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

memory/1688-1-0x0000000000B20000-0x0000000000BDC000-memory.dmp

memory/1688-2-0x0000000074AB0000-0x000000007519E000-memory.dmp

memory/1688-3-0x00000000005D0000-0x00000000005E8000-memory.dmp

memory/1688-4-0x0000000000590000-0x00000000005A0000-memory.dmp

memory/1688-5-0x00000000050A0000-0x000000000512C000-memory.dmp

memory/2460-7-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-8-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-11-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2460-15-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-13-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-9-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-6-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1688-23-0x0000000074AB0000-0x000000007519E000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 801a6f350e530ce728e455c90710630d
SHA1 15040c160c3c5901aff53b4f1dacd7ede5fc1915
SHA256 03a0b5f37cb21938a82f95b4f55fd53034fcaec6bdd0ac6bf8578e38db12ffe5
SHA512 6798fd93e1c41ed4b82dabdbc92fb70d2848b3b7814a1453d08c817a2ee33711f7c48dab3ac4c0d65dc8d8c0d4927289eadbc86d985bad29f88355abc529b6cf

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 07:47

Reported

2024-05-31 07:49

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3080 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 3080 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/3080-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

memory/3080-1-0x0000000000B00000-0x0000000000BBC000-memory.dmp

memory/3080-2-0x0000000005AB0000-0x0000000006054000-memory.dmp

memory/3080-3-0x00000000055A0000-0x0000000005632000-memory.dmp

memory/3080-4-0x0000000074A40000-0x00000000751F0000-memory.dmp

memory/3080-5-0x0000000005570000-0x000000000557A000-memory.dmp

memory/3080-6-0x0000000007F80000-0x0000000007F98000-memory.dmp

memory/3080-7-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

memory/3080-8-0x0000000008280000-0x000000000830C000-memory.dmp

memory/3080-9-0x000000000AA00000-0x000000000AA9C000-memory.dmp

memory/2128-10-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2128-11-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2128-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2128-14-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3080-16-0x0000000074A40000-0x00000000751F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\MBPL-20241005_0001.exe

MD5 d10cbd7afb799e8e1716303bea865af3
SHA1 c9d92404450d19683bd5e7d5f2f67aeceba16c0b
SHA256 b20f930f58a354fc114ee117ed338f14c044591d8cb272a97e5d41ca6a43ec89
SHA512 35ef78bb4920ef65da0d0b72c0574cd5f91c1384794901ebc94e4559bc0f059579b0e4fbe80e81aaa4d73b6f0f1f3fe98ea89c04ba2c4eae462f05927fa7e7ed

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 255c065255c86cf4eba08de95714816a
SHA1 75de20f7dd85ce207f0ffa889b4376b7fed377bd
SHA256 d36c44b1813964449bf59958a61a01372e28bc1acce21ad7bbf5d755cca4c30b
SHA512 a6bde42213547754ac65b4196436fa315cb983a8aca1766d213779cf9330414a0121201cd0eac3beb4bb96d3936dcfdbe2a22111cdef1c4cbb13de5708d3e749

memory/2128-133-0x0000000000400000-0x000000000041B000-memory.dmp