Malware Analysis Report

2024-09-11 00:02

Sample ID 240619-h3ysca1amn
Target order SL2024-01.pdf.gz
SHA256 80a49f6d176bd323b07bd6df4880a39699522bea37e58db72da3d6891c27e3d7
Tags
neshta persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80a49f6d176bd323b07bd6df4880a39699522bea37e58db72da3d6891c27e3d7

Threat Level: Known bad

The file order SL2024-01.pdf.gz was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware

Neshta

Modifies system executable filetype association

Drops startup file

Loads dropped DLL

Executes dropped EXE

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 07:16

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 07:16

Reported

2024-06-19 07:18

Platform

win7-20240508-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

Signatures

Neshta

persistence spyware neshta

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file5.vbs C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2916 set thread context of 2736 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Users\Admin\AppData\Local\directory\file5.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\pyogenesis

MD5 5a82d2ba2918d9b69b8d2e33453508db
SHA1 10630a647881d8afbcab3792b75fc8b9ad5951dc
SHA256 c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45
SHA512 86113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258

memory/2972-11-0x0000000000120000-0x0000000000124000-memory.dmp

\Users\Admin\AppData\Local\directory\file5.exe

MD5 827d17ea8908eee608affcbf9a41a4a8
SHA1 082df822af7674e9851f707a11eb948d9dd3107b
SHA256 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
SHA512 71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

C:\Users\Admin\AppData\Local\Temp\done

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2736-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2736-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2736-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2736-37-0x0000000000400000-0x000000000041B000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 2420cf7c48cc0cd5b5503d2410a6981a
SHA1 f963ac5873b3e70a24ce74499cb032e9ab68d454
SHA256 e4dc2a8658c3f9788e183bffa523e2063d01daf335396bf3eff0bd3731eaeb42
SHA512 8c527e3fa20dba59a958988b293f0358501efca9118b45b5a8ad505f8fdc466e83ca7aa81b473e3b382c3807386ba59a263f0237272dbd76c535f753b6501981

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2736-116-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 07:16

Reported

2024-06-19 07:18

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

Signatures

Neshta

persistence spyware neshta

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file5.vbs C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2676 set thread context of 1736 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\COOKIE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\BHO\IE_TO_~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\PWAHEL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\IDENTI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\INSTAL~1\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\MSEDGE~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\MSEDGE~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\msedge.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\MSEDGE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\125025~1.92\NOTIFI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1240 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1240 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1176 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 1176 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 1176 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 1176 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1176 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1176 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 2676 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 2676 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 2676 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 2676 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Users\Admin\AppData\Local\directory\file5.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Users\Admin\AppData\Local\directory\file5.exe

"C:\Users\Admin\AppData\Local\directory\file5.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\directory\file5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut3D67.tmp

MD5 5a82d2ba2918d9b69b8d2e33453508db
SHA1 10630a647881d8afbcab3792b75fc8b9ad5951dc
SHA256 c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45
SHA512 86113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258

memory/1240-12-0x00000000025F0000-0x00000000025F4000-memory.dmp

C:\Users\Admin\AppData\Local\directory\file5.exe

MD5 827d17ea8908eee608affcbf9a41a4a8
SHA1 082df822af7674e9851f707a11eb948d9dd3107b
SHA256 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
SHA512 71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

C:\Users\Admin\AppData\Local\Temp\done

MD5 764c56ef5805ba4e1b8a20f7c7515762
SHA1 43d20748615fdcbc5dc2781c7ec39aa05d93dd66
SHA256 154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae
SHA512 9f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa

C:\Users\Admin\AppData\Local\Temp\aut4298.tmp

MD5 8bd1753cdaeedb7ae8d8f542b6228734
SHA1 66aa541fa71b9257c798312a721235d45fd856ad
SHA256 98d60eabac5d06c99b4bd26abf0e5f6923732879e2da20648dbc6b50d63b047c
SHA512 ed8e99fbe66b98e0e4dca83149239092054e13dc7b47e2ffac429a723052b81509f3901d56b7a36529e8308cdba9d0f943a3fa9cf089de1537d249549fd1c8db

memory/1736-47-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1736-49-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1736-51-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1736-48-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe

MD5 02d5934d708008ecdbced2f8c1491727
SHA1 21f7ab77b928386ace6ac3366ae017b0ac73ad3a
SHA256 f8898de9a8d6d10f61e1075471f4dbf21e52b5e71969d10675359fa7bfcbfd00
SHA512 252b8652695b60222d1165eda50440893f1a5c5e59a6d2e607de80405fb1d083da3421a0b3d27f3dfb20e298253d0f04ae87d6c092270ac4f23056c33f6523a5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 fda6ad2775db2a19f8cbed4f348143c3
SHA1 2ba0dce08231f16a110665eaaac88f76e009f6e4
SHA256 ac5322711d79824bb5be0dce1b7bcc431efbb4c538fbcefe57d04867270e0cb7
SHA512 161ee40921ff3e347ab4b43d3858495ebdd8188e5b9f08bb76d52e8799c1a14c16ecb0fdb3019034e334e68a3d1337122a3a10c4d00382adc4ce92a3c7303be9

memory/1736-171-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1736-173-0x0000000000400000-0x000000000041B000-memory.dmp