Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 03:03
Behavioral task
behavioral1
Sample
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe
Resource
win10v2004-20240709-en
General
-
Target
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe
-
Size
1.1MB
-
MD5
bbd7910a23f556e6782de49f9297f29b
-
SHA1
018d0af275c09a9531403edfbb805cc48d6e1333
-
SHA256
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a
-
SHA512
5d988167e7da2c8e0465d1d86947c6f7dcacd1cd29abeb3afc98152bc485a82624ca49c4cc9ace69cb2c4a0bb8c4f230ce54de8cdb1927ab7f63e32948566388
-
SSDEEP
6144:k9Yjc2ICXRjxC4UBCySMVF1VptGOcssg4U1MImXnk:bc2IC5xCFhVG/Epsnk
Malware Config
Signatures
-
Detect Neshta payload 24 IoCs
Processes:
resource yara_rule C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta behavioral1/memory/1572-79-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2808-81-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2640-82-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE family_neshta C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta behavioral1/memory/1604-211-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1992-213-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2168-212-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2168-214-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1604-216-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1992-220-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 11 IoCs
Processes:
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exesvchost.comsvchost.comsvchost.comGOLDMD~1.EXESetup.exeSetup.exesvchost.comsvchost.exesvchost.comsvchost.exepid process 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe 2168 svchost.com 1572 svchost.com 1992 svchost.com 2580 GOLDMD~1.EXE 2956 Setup.exe 2420 Setup.exe 2640 svchost.com 2648 svchost.exe 2808 svchost.com 2484 svchost.exe -
Loads dropped DLL 17 IoCs
Processes:
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comWerFault.exepid process 1604 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe 2168 svchost.com 1572 svchost.com 1992 svchost.com 2640 svchost.com 2808 svchost.com 2808 svchost.com 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1872 WerFault.exe 1604 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe 2168 svchost.com 2168 svchost.com 1604 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe 2168 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Setup.exeSetup.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe -
Drops file in Windows directory 11 IoCs
Processes:
svchost.comsvchost.comsvchost.comsvchost.comca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exesvchost.comdescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1872 2580 WerFault.exe GOLDMD~1.EXE -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
GOLDMD~1.EXEsvchost.comsvchost.comca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exesvchost.comsvchost.comsvchost.comdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOLDMD~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 1 IoCs
Processes:
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.execa04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exesvchost.comsvchost.comsvchost.comSetup.exesvchost.comSetup.exesvchost.comGOLDMD~1.EXEdescription pid process target process PID 1604 wrote to memory of 2200 1604 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe PID 1604 wrote to memory of 2200 1604 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe PID 1604 wrote to memory of 2200 1604 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe PID 1604 wrote to memory of 2200 1604 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe PID 2200 wrote to memory of 2168 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 2168 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 2168 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 2168 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 1572 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 1572 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 1572 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 1572 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 1992 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 1992 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 1992 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 2200 wrote to memory of 1992 2200 ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe svchost.com PID 1572 wrote to memory of 2956 1572 svchost.com Setup.exe PID 1572 wrote to memory of 2956 1572 svchost.com Setup.exe PID 1572 wrote to memory of 2956 1572 svchost.com Setup.exe PID 1572 wrote to memory of 2956 1572 svchost.com Setup.exe PID 1992 wrote to memory of 2580 1992 svchost.com GOLDMD~1.EXE PID 1992 wrote to memory of 2580 1992 svchost.com GOLDMD~1.EXE PID 1992 wrote to memory of 2580 1992 svchost.com GOLDMD~1.EXE PID 1992 wrote to memory of 2580 1992 svchost.com GOLDMD~1.EXE PID 2168 wrote to memory of 2420 2168 svchost.com Setup.exe PID 2168 wrote to memory of 2420 2168 svchost.com Setup.exe PID 2168 wrote to memory of 2420 2168 svchost.com Setup.exe PID 2168 wrote to memory of 2420 2168 svchost.com Setup.exe PID 2420 wrote to memory of 2640 2420 Setup.exe svchost.com PID 2420 wrote to memory of 2640 2420 Setup.exe svchost.com PID 2420 wrote to memory of 2640 2420 Setup.exe svchost.com PID 2420 wrote to memory of 2640 2420 Setup.exe svchost.com PID 2640 wrote to memory of 2648 2640 svchost.com svchost.exe PID 2640 wrote to memory of 2648 2640 svchost.com svchost.exe PID 2640 wrote to memory of 2648 2640 svchost.com svchost.exe PID 2640 wrote to memory of 2648 2640 svchost.com svchost.exe PID 2956 wrote to memory of 2808 2956 Setup.exe svchost.com PID 2956 wrote to memory of 2808 2956 Setup.exe svchost.com PID 2956 wrote to memory of 2808 2956 Setup.exe svchost.com PID 2956 wrote to memory of 2808 2956 Setup.exe svchost.com PID 2808 wrote to memory of 2484 2808 svchost.com svchost.exe PID 2808 wrote to memory of 2484 2808 svchost.com svchost.exe PID 2808 wrote to memory of 2484 2808 svchost.com svchost.exe PID 2808 wrote to memory of 2484 2808 svchost.com svchost.exe PID 2580 wrote to memory of 1872 2580 GOLDMD~1.EXE WerFault.exe PID 2580 wrote to memory of 1872 2580 GOLDMD~1.EXE WerFault.exe PID 2580 wrote to memory of 1872 2580 GOLDMD~1.EXE WerFault.exe PID 2580 wrote to memory of 1872 2580 GOLDMD~1.EXE WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe"C:\Users\Admin\AppData\Local\Temp\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\3582-490\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exeC:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe6⤵
- Executes dropped EXE
PID:2648
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\Setup.exeC:\Users\Admin\AppData\Local\Temp\Setup.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exeC:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\svchost.exe6⤵
- Executes dropped EXE
PID:2484
-
-
-
-
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\GOLDMD~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\GOLDMD~1.EXEC:\Users\Admin\AppData\Local\Temp\GOLDMD~1.EXE4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 5485⤵
- Loads dropped DLL
- Program crash
PID:1872
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
Filesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
Filesize
137KB
MD5e1833678885f02b5e3cf1b3953456557
SHA1c197e763500002bc76a8d503933f1f6082a8507a
SHA256bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe
-
Filesize
899KB
MD580a2fab233077e3ef91d1b207a7f725f
SHA18d496e3fe85c347372eabd50a616327c78349d33
SHA256a061bfaa92dd039806911a09d30b6f24553395b6af21ae4fa54d5e5ba85f3e3d
SHA512d4b96b04d2a00f714d60d62f1d66592cb68249914047118e8a405930a1c2a489c0e8fc71f80ff6f0cafbae60bea6960d8b216a7b0c94316f3076640eb71217a6
-
Filesize
194KB
MD5623288b46813a3c1c960b801762a3fde
SHA1c73da36974aac1c21f57afde8879a8c5fb7b6a4c
SHA25665777f734ceaa4a20a594cd0b52d7a02ee9a200f01641817ad9526b79117c3ff
SHA512573d760b64c417dac7d9e765766e38ae465f2c0c0d177933302731048a5f4661964e60676844e57780eb65ef94cbcde1378e75d8d0a30c6a26bc1413e43c3eba
-
Filesize
1.5MB
MD5bfe8267cbc145e3230a3fc9430e3de1e
SHA1505e1723d02274804942dc322f4d45c99a0d1a1c
SHA256127e2cf254aa60bcc1e2bfc7f963afa92d57e8ea2a2b3d50f4fb5b4b73d089ba
SHA5125c1680af090e8667e103700015e50de6174c13427f9fa4865d786170bd45b1c2733342bc8cf1e5b23830beaddcb99a21566b957e5cafe9b95fe36d8c5fb3567e
-
Filesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
Filesize
495KB
MD59597098cfbc45fae685d9480d135ed13
SHA184401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA25645966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA51216afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164
-
Filesize
485KB
MD587f15006aea3b4433e226882a56f188d
SHA1e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA2568d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1
-
Filesize
495KB
MD507e194ce831b1846111eb6c8b176c86e
SHA1b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA51255f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5
-
Filesize
526KB
MD5cc5020b193486a88f373bedca78e24c8
SHA161744a1675ce10ddd196129b49331d517d7da884
SHA256e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a
SHA512bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2
-
Filesize
714KB
MD53c86c25a76c1413747ae8851bead4bac
SHA19342be761a661f51d85fd49fa9b75818aa0c4851
SHA256b7ff698e4395c9e682027bc710a529139dcc602d97e374fc294bcf5198073493
SHA512e70376561100d6a4769bc91e4daa3c224ed39f8412391a5ee9b9cae83d08dd2229a25f9099f5336810a757d95b6e81faa30608f35d8761b1c4cc0f41313cb43f
-
Filesize
698KB
MD5629775f1611ef29d58010526ea0d545e
SHA10531fb5c671af69525fac0630146dd41de47577e
SHA256c37a3c2f010ebac9bc0d6b6e1e508db8e4fbf14faa2f5a0442c0de5f4e047d6d
SHA51235241e6e1f5de93bb0700a6c7328270c034a20f52b8b802b0a9ec684b5e2f59f8f51d5eed3366611c045d18ca339638caeab57ea00f5bbd78750781db3ef3757
-
Filesize
8B
MD524e4c70a4c36903787c36989f3417676
SHA1e760f4da660a985173436787bb17a333f2eb3d8f
SHA2565c48cd2705ec16f488f8c958dcaabda106cad5d9b459382e2d54eb533a53fdc0
SHA512a97428ea062b6a54e3dc295bf84a12c6b76b566fdb0e85e2abcded665c395821357e50aee52a30dfc4fabbb9160d116fd5a0eb73433a1af1525abf06e6327f78
-
Filesize
256KB
MD5c4e4407b5fcf49586ddd5d5573ae4b95
SHA10f60aaaaac09d4f9273207114fcc78c0bfb250eb
SHA2568f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a
SHA51295a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b
-
Filesize
45B
MD5741026dcef1bb48ebcc8a83ddce6a580
SHA1cd3be9c7763d465149fd0f2f535d9ba163b3cb37
SHA256bdc0687cb6574a76bccaadc8ddeee871a6c94cfccf33a5cd3daf9fca075f80bb
SHA5129753918f08b80449382ed6e034e32ca4b4274379325ffb84778d94f142bb24a541fb32b053843660a54488ba6f7e91158da9e2e64665649892c72a0af1beeb2a
-
Filesize
48B
MD513d20397d30c4f57d19c6f91f508c428
SHA1aa2e23063d0c06463b3fb413f8f00d14167ed656
SHA256fefc438d5e8bc82800ea62abba3e29c7e5ef0bc39b3c21c95c0771d250d85a6c
SHA5126f8ad574ec9e2978787c4da5b9121daa3357256abb74dbefc8a26ead0436eb878f57e0fef8d77112f0fc0c6c28f1d55034fa0cc6f10eeeb9eee8aca57b55a677
-
Filesize
70B
MD5d7e567ae5203de33887086506dfe9863
SHA12f12b5d6a9277eb89e2582fa05631646e0a9b236
SHA2560cc680f73de15d57b6e5e5e5b3ae4399d5eb562d05ac15fdc5d2d9ed2b9d3e19
SHA512182366404c69cf42a824804f941054f4a157904dfa6fa49b11f5e9ad72fb19ae7c079a4c0540788c8df630e25eac526e2bbb92e4933772c3bea6fe24380712a9
-
Filesize
40KB
MD531052c3cc4c1c1afe3fe16981559432e
SHA1d207a619803fb5eeb3535d74f459e5762251093f
SHA256c495b442e561aa88a25ed83119dd245f08e25c1634f393e54a889ddfc528e553
SHA5125fec934eb81e5bdf077fe66c7ff39e2c28b13db4512cf71e9c5b64ccb9f55c6ff86f43a805a999dc620c937456b950e5acfa7a21a765132f3d81e19adf2a6be6
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\ca04caf94c48dd2cf44a727452d0920b909ccaaa0c15c1e7ae33f9c33293129a.exe
Filesize1.0MB
MD506e5f48c88a1fce2165d1ec0d72b64f5
SHA1ea4a75bd6da0faed696fe7408a2db192efd75625
SHA2561ad3192018f0d90e08ac72308564006757eaa8319284c3fdd69003ad1a8ae7d9
SHA512c8ec3a324bc34d2cbb6b6e73a5c952e4d7d2aa5d90ffda425d74c88c58a57533c6931f12c20e0fbf22d2d4d0ff594cc02eb08599b0bad68cbe7d89fa54bb5f77
-
Filesize
356KB
MD5fa0b327abd82686bb9d676a30fa89b46
SHA1a5521f5e8e500f67b183542ffad65b83ebcb186f
SHA256d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d
SHA512ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d