Malware Analysis Report

2024-11-16 12:14

Sample ID 240716-rp3ntaxajr
Target 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
SHA256 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e
Tags
neshta execution persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e

Threat Level: Known bad

The file 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe was found to be: Known bad.

Malicious Activity Summary

neshta execution persistence spyware stealer

Neshta

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Modifies system executable filetype association

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 14:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 14:22

Reported

2024-07-16 14:25

Platform

win7-20240705-en

Max time kernel

29s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 3068 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe

"C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QBloUDNxsti.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QBloUDNxsti" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF02.tmp"

C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe

"C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe"

Network

N/A

Files

memory/3068-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

memory/3068-1-0x00000000008C0000-0x000000000097C000-memory.dmp

memory/3068-2-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/3068-3-0x0000000000790000-0x00000000007AA000-memory.dmp

memory/3068-4-0x00000000007B0000-0x00000000007BE000-memory.dmp

memory/3068-5-0x0000000004CC0000-0x0000000004D4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCF02.tmp

MD5 3c0d3592d2b748f62508768029be0513
SHA1 727960b8025464244ea082b051c947365ab88146
SHA256 0d2d3724c8016cddf4fe1b759af0800a9207b0a90736c49918b67a7984c4c969
SHA512 f23881c08df60af15c10d08cc4855407d37203a0714a763acae3493e58be834beb0d9575788bbcfef513dd507b8ff299b04b7216c2c3df8665dccb6d1ad511ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 5309245d5c942297645cdaf41a1b035d
SHA1 f27512c94c52653e7495a6f56bae5b3ac1c86fce
SHA256 db69fb32ec69d56667ee66922c581e86a6a4c09124247ef75bc90703d7deeaf5
SHA512 003a650e8ee0e31be6a6b4067d70057c98637ea625a0b2f435825fdbd5b23c842203ab9dcfa10fbf0be5097e3a03b14112bd1d8cabafa6216589f4903336b0af

memory/1732-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-33-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1732-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-26-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3068-37-0x0000000074AE0000-0x00000000751CE000-memory.dmp

C:\Windows\svchost.com

MD5 831ea2d64c8371b5fb5c293902f942dd
SHA1 41bda99a7dcda14fffc5297f77d73deccf7e52f9
SHA256 0be3fe232479bb98c0801b5b5279e6f0527d470cf93236c9cc8109dd8bf6b268
SHA512 eb195b26b63bff3102231be5fcef9e700b23af42485719c1b77e30b06efd7cfd2c170a46d756c38d8056f0a9fa12fd25564bf21a700238035f4d066afadc0b0a

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\Users\Admin\AppData\Roaming\QBLOUD~1.EXE

MD5 8c4507c84e866d7a0677244d94c439f6
SHA1 b7917d2630306f79444a473903c0170ce8e58abe
SHA256 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e
SHA512 950b7452c9047f24baec92101973fd3d4fdfac7f81cc2208df2a20de46db43b54eb411fa48442df5cf963ba18286047490b920529906149a8e1d9a5605bf01e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 14:22

Reported

2024-07-16 14:25

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe"

Signatures

Neshta

persistence spyware neshta

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\schtasks.exe
PID 208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\schtasks.exe
PID 208 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Windows\SysWOW64\schtasks.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe
PID 208 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe

"C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QBloUDNxsti.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QBloUDNxsti" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50C.tmp"

C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe

"C:\Users\Admin\AppData\Local\Temp\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/208-0-0x000000007509E000-0x000000007509F000-memory.dmp

memory/208-1-0x0000000000FE0000-0x000000000109C000-memory.dmp

memory/208-2-0x0000000005FB0000-0x0000000006554000-memory.dmp

memory/208-3-0x0000000005AA0000-0x0000000005B32000-memory.dmp

memory/208-4-0x0000000005B40000-0x0000000005B4A000-memory.dmp

memory/208-5-0x0000000075090000-0x0000000075840000-memory.dmp

memory/208-6-0x0000000008350000-0x000000000836A000-memory.dmp

memory/208-7-0x0000000006C60000-0x0000000006C6E000-memory.dmp

memory/208-8-0x0000000006CC0000-0x0000000006D4E000-memory.dmp

memory/208-9-0x000000000A7E0000-0x000000000A87C000-memory.dmp

memory/4920-14-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

memory/4920-15-0x0000000075090000-0x0000000075840000-memory.dmp

memory/4920-16-0x0000000005670000-0x0000000005C98000-memory.dmp

memory/4920-17-0x0000000075090000-0x0000000075840000-memory.dmp

memory/4920-18-0x0000000075090000-0x0000000075840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50C.tmp

MD5 23f92ba7ebfe5f2d6d3a8fe25c73270e
SHA1 4d30f02eb547f92749fa9e6573d389554cceb01e
SHA256 823e043586d4ef358826baf3f4753d42b1e26d461115cc0b6deefe20d702ecc8
SHA512 140f533e1ae41ebe6d22ff1a2b7cdc7ef868ef8ab15e56fbc3aeea354b1da33b8003a9076220d99bbf3423b30fb10d0f0141e9181b4aa7b2ac68beca8f04ff86

memory/4920-22-0x0000000005D10000-0x0000000005D76000-memory.dmp

memory/4392-23-0x0000000075090000-0x0000000075840000-memory.dmp

memory/4920-21-0x0000000005CA0000-0x0000000005D06000-memory.dmp

memory/4392-24-0x0000000005C90000-0x0000000005FE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fazedw4p.ygq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3532-36-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4392-48-0x0000000075090000-0x0000000075840000-memory.dmp

memory/3532-35-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e.exe

MD5 ae303747897daf45e48698d2ae593960
SHA1 b9349e9bf97e84e1490450a6a71f364a8a18ba40
SHA256 6ad9d05e2f8ab4b9050da219cc18aef707fd79ff7ee6e108bfb5f1d262c26dbb
SHA512 6386c4b064a957481a52faf153fc93af4029f2ade078656a359a8e0398c0329df6a903062a16868dc69efb06489af61a52aeccea4958402ddf46315f0b6ff16b

memory/4392-34-0x0000000075090000-0x0000000075840000-memory.dmp

memory/4920-20-0x00000000055A0000-0x00000000055C2000-memory.dmp

memory/208-56-0x0000000075090000-0x0000000075840000-memory.dmp

C:\Windows\svchost.com

MD5 831ea2d64c8371b5fb5c293902f942dd
SHA1 41bda99a7dcda14fffc5297f77d73deccf7e52f9
SHA256 0be3fe232479bb98c0801b5b5279e6f0527d470cf93236c9cc8109dd8bf6b268
SHA512 eb195b26b63bff3102231be5fcef9e700b23af42485719c1b77e30b06efd7cfd2c170a46d756c38d8056f0a9fa12fd25564bf21a700238035f4d066afadc0b0a

memory/4392-61-0x0000000006270000-0x00000000062BC000-memory.dmp

memory/4392-60-0x0000000006250000-0x000000000626E000-memory.dmp

memory/4392-63-0x0000000075940000-0x000000007598C000-memory.dmp

memory/4392-73-0x00000000073B0000-0x00000000073CE000-memory.dmp

memory/4392-62-0x00000000073F0000-0x0000000007422000-memory.dmp

memory/4392-74-0x0000000007430000-0x00000000074D3000-memory.dmp

memory/4920-76-0x0000000075940000-0x000000007598C000-memory.dmp

memory/4392-86-0x0000000007570000-0x000000000758A000-memory.dmp

memory/4392-75-0x0000000007BB0000-0x000000000822A000-memory.dmp

memory/4392-87-0x00000000075E0000-0x00000000075EA000-memory.dmp

memory/4392-88-0x00000000077F0000-0x0000000007886000-memory.dmp

memory/4392-89-0x0000000007770000-0x0000000007781000-memory.dmp

memory/4392-90-0x00000000077A0000-0x00000000077AE000-memory.dmp

memory/4392-91-0x00000000077B0000-0x00000000077C4000-memory.dmp

memory/4392-103-0x00000000078B0000-0x00000000078CA000-memory.dmp

memory/4392-107-0x0000000007890000-0x0000000007898000-memory.dmp

memory/4392-113-0x0000000075090000-0x0000000075840000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 749319a7a7f726db08aa338b2339f6ff
SHA1 d1b687978765a48363e5c76ed4add150cfc1ad10
SHA256 0ff6b4b94ece69832183bf24fd84b1928f3fb03d517632fc9c186b8eb6b6dbfa
SHA512 7d09ff65742c24e0079d15d4aad15b9ef52c0bde2a812f95ca7743f8d18fef24824022fc0aa30457258971a98b262810481f4499387fb56bdadd4b3c02ccbccf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4920-125-0x0000000075090000-0x0000000075840000-memory.dmp

C:\Users\Admin\AppData\Roaming\QBLOUD~1.EXE

MD5 8c4507c84e866d7a0677244d94c439f6
SHA1 b7917d2630306f79444a473903c0170ce8e58abe
SHA256 08666ef4278f5e77d441949a6069b712fd4908fc75df489ed9289daa5ff3cf5e
SHA512 950b7452c9047f24baec92101973fd3d4fdfac7f81cc2208df2a20de46db43b54eb411fa48442df5cf963ba18286047490b920529906149a8e1d9a5605bf01e1