Malware Analysis Report

2024-09-11 02:36

Sample ID 240601-b3yzsaea92
Target a3d78911011cfdec868a9b3973079744a56320b36f27182a49330c21c0ec752c.rar
SHA256 a3d78911011cfdec868a9b3973079744a56320b36f27182a49330c21c0ec752c
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3d78911011cfdec868a9b3973079744a56320b36f27182a49330c21c0ec752c

Threat Level: Known bad

The file a3d78911011cfdec868a9b3973079744a56320b36f27182a49330c21c0ec752c.rar was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta

Detect Neshta payload

Checks computer location settings

Modifies system executable filetype association

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:40

Reported

2024-06-01 01:43

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1716 set thread context of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 1716 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

Network

N/A

Files

memory/1716-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

memory/1716-1-0x0000000000E70000-0x0000000000F2C000-memory.dmp

memory/1716-2-0x0000000074A20000-0x000000007510E000-memory.dmp

memory/1716-3-0x00000000009A0000-0x00000000009B8000-memory.dmp

memory/1716-4-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/1716-5-0x0000000005D90000-0x0000000005E1C000-memory.dmp

memory/2616-6-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-14-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-16-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-15-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-10-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-8-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2616-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1716-23-0x0000000074A20000-0x000000007510E000-memory.dmp

memory/2616-24-0x0000000000400000-0x000000000041B000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 801a6f350e530ce728e455c90710630d
SHA1 15040c160c3c5901aff53b4f1dacd7ede5fc1915
SHA256 03a0b5f37cb21938a82f95b4f55fd53034fcaec6bdd0ac6bf8578e38db12ffe5
SHA512 6798fd93e1c41ed4b82dabdbc92fb70d2848b3b7814a1453d08c817a2ee33711f7c48dab3ac4c0d65dc8d8c0d4927289eadbc86d985bad29f88355abc529b6cf

memory/2616-97-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:40

Reported

2024-06-01 01:43

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4532 set thread context of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe
PID 4532 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe

"C:\Users\Admin\AppData\Local\Temp\MBPL-20241005_0001.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/4532-0-0x000000007536E000-0x000000007536F000-memory.dmp

memory/4532-1-0x0000000000E90000-0x0000000000F4C000-memory.dmp

memory/4532-2-0x0000000005F10000-0x00000000064B4000-memory.dmp

memory/4532-3-0x0000000005960000-0x00000000059F2000-memory.dmp

memory/4532-5-0x0000000075360000-0x0000000075B10000-memory.dmp

memory/4532-4-0x00000000058F0000-0x00000000058FA000-memory.dmp

memory/4532-6-0x0000000008420000-0x0000000008438000-memory.dmp

memory/4532-7-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

memory/4532-8-0x0000000006DA0000-0x0000000006E2C000-memory.dmp

memory/4532-9-0x000000000AB10000-0x000000000ABAC000-memory.dmp

memory/4428-10-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4428-11-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4428-13-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4428-15-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4532-16-0x0000000075360000-0x0000000075B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\MBPL-20241005_0001.exe

MD5 d10cbd7afb799e8e1716303bea865af3
SHA1 c9d92404450d19683bd5e7d5f2f67aeceba16c0b
SHA256 b20f930f58a354fc114ee117ed338f14c044591d8cb272a97e5d41ca6a43ec89
SHA512 35ef78bb4920ef65da0d0b72c0574cd5f91c1384794901ebc94e4559bc0f059579b0e4fbe80e81aaa4d73b6f0f1f3fe98ea89c04ba2c4eae462f05927fa7e7ed

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 8962876caa9c11483b2c4f8fc6d19275
SHA1 90811e5684922a170c369b0b0250da6d6869d3d2
SHA256 39e71f2f841505610b0e0304c75ac95a80a0437060db928cdba8122f76f95cbe
SHA512 17495a46497c4c621a21794c962bbf6fb7bd550611b18b931681b8c456288d6b849e33b95289a87e0f9ec043316ad70da23656d7002fc11750bf6bce818ed348

memory/4428-113-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4428-115-0x0000000000400000-0x000000000041B000-memory.dmp