Malware Analysis Report

2024-09-11 00:03

Sample ID 240620-be3casvbmr
Target 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe
SHA256 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
Tags
neshta persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e

Threat Level: Known bad

The file 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware

Neshta

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Drops startup file

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 01:04

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 01:04

Reported

2024-06-20 01:06

Platform

win7-20240419-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"

Signatures

Neshta

persistence spyware neshta

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file5.vbs C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2140 set thread context of 2560 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe

"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"

C:\Users\Admin\AppData\Local\directory\file5.exe

"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\pyogenesis

MD5 5a82d2ba2918d9b69b8d2e33453508db
SHA1 10630a647881d8afbcab3792b75fc8b9ad5951dc
SHA256 c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45
SHA512 86113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258

memory/1732-11-0x0000000000750000-0x0000000000754000-memory.dmp

\Users\Admin\AppData\Local\directory\file5.exe

MD5 827d17ea8908eee608affcbf9a41a4a8
SHA1 082df822af7674e9851f707a11eb948d9dd3107b
SHA256 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
SHA512 71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

C:\Users\Admin\AppData\Local\Temp\done

MD5 764c56ef5805ba4e1b8a20f7c7515762
SHA1 43d20748615fdcbc5dc2781c7ec39aa05d93dd66
SHA256 154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae
SHA512 9f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa

memory/2560-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2560-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2560-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2560-37-0x0000000000400000-0x000000000041B000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 2420cf7c48cc0cd5b5503d2410a6981a
SHA1 f963ac5873b3e70a24ce74499cb032e9ab68d454
SHA256 e4dc2a8658c3f9788e183bffa523e2063d01daf335396bf3eff0bd3731eaeb42
SHA512 8c527e3fa20dba59a958988b293f0358501efca9118b45b5a8ad505f8fdc466e83ca7aa81b473e3b382c3807386ba59a263f0237272dbd76c535f753b6501981

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2560-116-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 01:04

Reported

2024-06-20 01:07

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"

Signatures

Neshta

persistence spyware neshta

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file5.vbs C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 464 set thread context of 4924 N/A C:\Users\Admin\AppData\Local\directory\file5.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\file5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe

"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"

C:\Users\Admin\AppData\Local\directory\file5.exe

"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\autC20.tmp

MD5 5a82d2ba2918d9b69b8d2e33453508db
SHA1 10630a647881d8afbcab3792b75fc8b9ad5951dc
SHA256 c33f87666040884ab0f834f40bc9b9439f67c21c0397c10989081a1cbaf3ef45
SHA512 86113245589e0d877fafa9436501d931c7a1ec5d2afc0ea415e74b85b00209157ced185a8d41076d0537ca160a8cbbbbcbbfed3bf4f3495fe696a1b59b169258

memory/4756-12-0x0000000003B50000-0x0000000003B54000-memory.dmp

C:\Users\Admin\AppData\Local\directory\file5.exe

MD5 827d17ea8908eee608affcbf9a41a4a8
SHA1 082df822af7674e9851f707a11eb948d9dd3107b
SHA256 12afbeae36c86ffa1781c6faac9cd3b460fe5835c55b901e7ec28e39df418d5e
SHA512 71d6039b72fb1c31f47233d8706fc846da76016f8f99bf550b9933add346e4f6847ae2f9d26dd0ebbde5beb2ad1d4690e1b29a2761fd2232345f9657cb89722e

C:\Users\Admin\AppData\Local\Temp\pyogenesis

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\done

MD5 764c56ef5805ba4e1b8a20f7c7515762
SHA1 43d20748615fdcbc5dc2781c7ec39aa05d93dd66
SHA256 154599a882d84df848b842b1262f810a1ee21f273357de1f1ac812821ba3d8ae
SHA512 9f2be8f1e9f067b88450436abc57a7305507c0429c7ffa3ee3134b466b7d43f41b435f30cb4664d4c16dfcf1172692e9965d121907930aea8307982543596cfa

memory/4924-32-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4924-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4924-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4924-35-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe

MD5 02d5934d708008ecdbced2f8c1491727
SHA1 21f7ab77b928386ace6ac3366ae017b0ac73ad3a
SHA256 f8898de9a8d6d10f61e1075471f4dbf21e52b5e71969d10675359fa7bfcbfd00
SHA512 252b8652695b60222d1165eda50440893f1a5c5e59a6d2e607de80405fb1d083da3421a0b3d27f3dfb20e298253d0f04ae87d6c092270ac4f23056c33f6523a5

memory/4924-48-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 1ced9f83a3accc8823ed2641725a6441
SHA1 5f094d0d8141d9f1b404e639d000e5fa09c1a9bc
SHA256 073ac7aa3f44b0c276ce79b52046ea1d6ffb325556df42184d27c4731bd85b76
SHA512 3f4e722d3a571d4621482f02118bf6ff5561058c3f59ffc74b8642d8796a50a449f63a26fc074634dba80e93ed3245904ffe1852948d1fcd01f196c47d1baeff