Malware Analysis Report

2024-11-16 12:12

Sample ID 240722-2bxkra1hlc
Target 1d9d8b7879afd5012d4ec3127b5f1f30N.exe
SHA256 a88f960e928c25ce8f95a503d3ebbf075de87d18bb0c4f33485d25f43d50cc11
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a88f960e928c25ce8f95a503d3ebbf075de87d18bb0c4f33485d25f43d50cc11

Threat Level: Known bad

The file 1d9d8b7879afd5012d4ec3127b5f1f30N.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Reads user/profile data of web browsers

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:25

Reported

2024-07-22 22:27

Platform

win10v2004-20240709-en

Max time kernel

104s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe

"C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/4172-1-0x0000000000400000-0x000000000102C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe

MD5 e00c9e5cde84192ebc4d55bb16aa27b7
SHA1 c45672062008ee73436fc2f16b045376bb29a060
SHA256 8e9753c48cc7093e0d454a86348a1234983d122b34976d1d31b174a05f10bac9
SHA512 3933acf89e860aa2a32215cb63c77f71fa58fbcec37445e62dbd1f97530a9f4467c028647ff1f4acf3ab0f668ab1db505bf2a0fa1b93ef48169d854a5cf87434

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 04c6daba4fac663e35df611485367158
SHA1 f1e27d06af670f459de40bd7b0ab9af4289774db
SHA256 0bbc9bffc739d04b2d56a3a56528f0c21e5f179466145de35cea61289781651e
SHA512 a2ac9e3245b25e3492bcac2f3a6072215dca6c3458de59d97959e144a1c89854058b8b32b4690f938e7996ad99b9e74da0a7ccb194e897280885b0b9b3583bf6

memory/4172-97-0x0000000000400000-0x000000000102C000-memory.dmp

memory/4172-98-0x0000000000400000-0x000000000102C000-memory.dmp

memory/4172-99-0x0000000000400000-0x000000000102C000-memory.dmp

memory/4172-101-0x0000000000400000-0x000000000102C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:25

Reported

2024-07-22 22:27

Platform

win7-20240708-en

Max time kernel

15s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe

"C:\Users\Admin\AppData\Local\Temp\1d9d8b7879afd5012d4ec3127b5f1f30N.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe"

Network

N/A

Files

memory/2384-1-0x0000000000400000-0x000000000102C000-memory.dmp

memory/2384-3-0x00000000003D0000-0x00000000003E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\1d9d8b7879afd5012d4ec3127b5f1f30N.exe

MD5 e00c9e5cde84192ebc4d55bb16aa27b7
SHA1 c45672062008ee73436fc2f16b045376bb29a060
SHA256 8e9753c48cc7093e0d454a86348a1234983d122b34976d1d31b174a05f10bac9
SHA512 3933acf89e860aa2a32215cb63c77f71fa58fbcec37445e62dbd1f97530a9f4467c028647ff1f4acf3ab0f668ab1db505bf2a0fa1b93ef48169d854a5cf87434

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 a03896fb4ccae005d71bbe5b476b60b6
SHA1 080bcfcc57434c2a74279a93d4624bce8c8d8f92
SHA256 ff2ef0c3a21a89a09e38bb46689b8684e8c749206427d55941f6a8aa581ec0b6
SHA512 ca716b3ca64dc51b21e72effe83e71873aaa5b63b34b397add935cfb40684c1c169b43671e273f10733fb366aa9641ed18886cb9652998e38516eba60b8fedb5

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2384-84-0x0000000000400000-0x000000000102C000-memory.dmp

memory/2384-87-0x0000000000400000-0x000000000102C000-memory.dmp