Malware Analysis Report

2024-09-11 00:02

Sample ID 240619-hx74tswdmd
Target order SL2024-01.exe
SHA256 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
Tags
neshta persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e

Threat Level: Known bad

The file order SL2024-01.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware

Neshta

Modifies system executable filetype association

Drops startup file

Loads dropped DLL

Executes dropped EXE

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 07:08

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 07:08

Reported

2024-06-19 07:10

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

Signatures

Neshta

persistence spyware neshta

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file5.vbs C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1712 set thread context of 2092 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\SysWOW64\svchost.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\directory\file5.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1404 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1404 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1404 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe C:\Users\Admin\AppData\Local\directory\file5.exe
PID 1712 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 1712 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 1712 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 1712 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 1712 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe
PID 1712 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\WerFault.exe
PID 1712 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\WerFault.exe
PID 1712 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\WerFault.exe
PID 1712 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Users\Admin\AppData\Local\directory\file5.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 320

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\pyogenesis

MD5 5a82d2ba2918d9b69b8d2e33453508db
SHA1 10630a647881d8afbcab3792b75fc8b9ad5951dc
SHA256 c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45
SHA512 86113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258

memory/1404-11-0x00000000002E0000-0x00000000002E4000-memory.dmp

\Users\Admin\AppData\Local\directory\file5.exe

MD5 827d17ea8908eee608affcbf9a41a4a8
SHA1 082df822af7674e9851f707a11eb948d9dd3107b
SHA256 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
SHA512 71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

C:\Users\Admin\AppData\Local\Temp\done

MD5 764c56ef5805ba4e1b8a20f7c7515762
SHA1 43d20748615fdcbc5dc2781c7ec39aa05d93dd66
SHA256 154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae
SHA512 9f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa

memory/2092-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2092-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2092-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2092-37-0x0000000000400000-0x000000000041B000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 2420cf7c48cc0cd5b5503d2410a6981a
SHA1 f963ac5873b3e70a24ce74499cb032e9ab68d454
SHA256 e4dc2a8658c3f9788e183bffa523e2063d01daf335396bf3eff0bd3731eaeb42
SHA512 8c527e3fa20dba59a958988b293f0358501efca9118b45b5a8ad505f8fdc466e83ca7aa81b473e3b382c3807386ba59a263f0237272dbd76c535f753b6501981

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2092-121-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 07:08

Reported

2024-06-19 07:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

Signatures

Neshta

persistence spyware neshta

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file5.vbs C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3924 set thread context of 624 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Users\Admin\AppData\Local\directory\file5.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\order SL2024-01.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\pyogenesis

MD5 5a82d2ba2918d9b69b8d2e33453508db
SHA1 10630a647881d8afbcab3792b75fc8b9ad5951dc
SHA256 c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45
SHA512 86113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258

memory/4884-12-0x0000000002550000-0x0000000002554000-memory.dmp

C:\Users\Admin\AppData\Local\directory\file5.exe

MD5 827d17ea8908eee608affcbf9a41a4a8
SHA1 082df822af7674e9851f707a11eb948d9dd3107b
SHA256 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
SHA512 71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

C:\Users\Admin\AppData\Local\Temp\done

MD5 764c56ef5805ba4e1b8a20f7c7515762
SHA1 43d20748615fdcbc5dc2781c7ec39aa05d93dd66
SHA256 154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae
SHA512 9f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa

memory/624-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/624-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/624-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/624-36-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe

MD5 02d5934d708008ecdbced2f8c1491727
SHA1 21f7ab77b928386ace6ac3366ae017b0ac73ad3a
SHA256 f8898de9a8d6d10f61e1075471f4dbf21e52b5e71969d10675359fa7bfcbfd00
SHA512 252b8652695b60222d1165eda50440893f1a5c5e59a6d2e607de80405fb1d083da3421a0b3d27f3dfb20e298253d0f04ae87d6c092270ac4f23056c33f6523a5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 fda6ad2775db2a19f8cbed4f348143c3
SHA1 2ba0dce08231f16a110665eaaac88f76e009f6e4
SHA256 ac5322711d79824bb5be0dce1b7bcc431efbb4c538fbcefe57d04867270e0cb7
SHA512 161ee40921ff3e347ab4b43d3858495ebdd8188e5b9f08bb76d52e8799c1a14c16ecb0fdb3019034e334e68a3d1337122a3a10c4d00382adc4ce92a3c7303be9

memory/624-135-0x0000000000400000-0x000000000041B000-memory.dmp

memory/624-137-0x0000000000400000-0x000000000041B000-memory.dmp