neshta | 8a6b92d3034b9387f60884112a3ce305be814384bc7aadc587ab2209f224d1ef

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae3912707dd3df2a063865316ff1ef0N.exe
Size

1.1MB
MD5

cae3912707dd3df2a063865316ff1ef0
SHA1

041edc2d70b8e6a487b7ec37bb4171914fa8b5dc
SHA256

8a6b92d3034b9387f60884112a3ce305be814384bc7aadc587ab2209f224d1ef
SHA512

9b72a3c100156a224f1a0866ee0326abec4320526b7fa28490fcf6256d285a4e401a4037c498568d42bab3ef6db8d3d457bd33adf80fcdd67d015e6b54f2f0ef
SSDEEP

24576:I5xolYQY6WmDopO7Rpc5xcZPY0c28TcoXgWwHANQfezeHjr5E1Bnj6DSEpJ:jYoQxcZPEogN6eyjYBC7r

Score

10^/10

neshta bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010317-18.dat	family_neshta
behavioral1/memory/2416-186-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2416-189-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 7 IoCs

pid	Process
1532	cae3912707dd3df2a063865316ff1ef0N.exe
2744	cae3912707dd3df2a063865316ff1ef0n.exe
2684	icsys.icn.exe
2716	explorer.exe
2740	spoolsv.exe
1676	svchost.exe
1616	spoolsv.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	cae3912707dd3df2a063865316ff1ef0n.exe

Loads dropped DLL 17 IoCs

pid	Process
2416	cae3912707dd3df2a063865316ff1ef0N.exe
2416	cae3912707dd3df2a063865316ff1ef0N.exe
1532	cae3912707dd3df2a063865316ff1ef0N.exe
1532	cae3912707dd3df2a063865316ff1ef0N.exe
1532	cae3912707dd3df2a063865316ff1ef0N.exe
1532	cae3912707dd3df2a063865316ff1ef0N.exe
2416	cae3912707dd3df2a063865316ff1ef0N.exe
2684	icsys.icn.exe
2684	icsys.icn.exe
2716	explorer.exe
2716	explorer.exe
2740	spoolsv.exe
2740	spoolsv.exe
1676	svchost.exe
1676	svchost.exe
2416	cae3912707dd3df2a063865316ff1ef0N.exe
2416	cae3912707dd3df2a063865316ff1ef0N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cae3912707dd3df2a063865316ff1ef0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cae3912707dd3df2a063865316ff1ef0n.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cae3912707dd3df2a063865316ff1ef0n.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2744	cae3912707dd3df2a063865316ff1ef0n.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	cae3912707dd3df2a063865316ff1ef0N.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\svchost.com	cae3912707dd3df2a063865316ff1ef0N.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cae3912707dd3df2a063865316ff1ef0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cae3912707dd3df2a063865316ff1ef0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cae3912707dd3df2a063865316ff1ef0n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cae3912707dd3df2a063865316ff1ef0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2744	cae3912707dd3df2a063865316ff1ef0n.exe
2684	icsys.icn.exe
2716	explorer.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
1676	svchost.exe
2716	explorer.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
1676	svchost.exe
2716	explorer.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe
2716	explorer.exe
1676	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1676	svchost.exe
2716	explorer.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1532	cae3912707dd3df2a063865316ff1ef0N.exe
1532	cae3912707dd3df2a063865316ff1ef0N.exe
2684	icsys.icn.exe
2684	icsys.icn.exe
2716	explorer.exe
2716	explorer.exe
2740	spoolsv.exe
2740	spoolsv.exe
1676	svchost.exe
1676	svchost.exe
1616	spoolsv.exe
1616	spoolsv.exe
2716	explorer.exe
2716	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1532	2416	cae3912707dd3df2a063865316ff1ef0N.exe	30
PID 2416 wrote to memory of 1532	2416	cae3912707dd3df2a063865316ff1ef0N.exe	30
PID 2416 wrote to memory of 1532	2416	cae3912707dd3df2a063865316ff1ef0N.exe	30
PID 2416 wrote to memory of 1532	2416	cae3912707dd3df2a063865316ff1ef0N.exe	30
PID 1532 wrote to memory of 2744	1532	cae3912707dd3df2a063865316ff1ef0N.exe	31
PID 1532 wrote to memory of 2744	1532	cae3912707dd3df2a063865316ff1ef0N.exe	31
PID 1532 wrote to memory of 2744	1532	cae3912707dd3df2a063865316ff1ef0N.exe	31
PID 1532 wrote to memory of 2744	1532	cae3912707dd3df2a063865316ff1ef0N.exe	31
PID 1532 wrote to memory of 2684	1532	cae3912707dd3df2a063865316ff1ef0N.exe	32
PID 1532 wrote to memory of 2684	1532	cae3912707dd3df2a063865316ff1ef0N.exe	32
PID 1532 wrote to memory of 2684	1532	cae3912707dd3df2a063865316ff1ef0N.exe	32
PID 1532 wrote to memory of 2684	1532	cae3912707dd3df2a063865316ff1ef0N.exe	32
PID 2684 wrote to memory of 2716	2684	icsys.icn.exe	33
PID 2684 wrote to memory of 2716	2684	icsys.icn.exe	33
PID 2684 wrote to memory of 2716	2684	icsys.icn.exe	33
PID 2684 wrote to memory of 2716	2684	icsys.icn.exe	33
PID 2716 wrote to memory of 2740	2716	explorer.exe	34
PID 2716 wrote to memory of 2740	2716	explorer.exe	34
PID 2716 wrote to memory of 2740	2716	explorer.exe	34
PID 2716 wrote to memory of 2740	2716	explorer.exe	34
PID 2740 wrote to memory of 1676	2740	spoolsv.exe	35
PID 2740 wrote to memory of 1676	2740	spoolsv.exe	35
PID 2740 wrote to memory of 1676	2740	spoolsv.exe	35
PID 2740 wrote to memory of 1676	2740	spoolsv.exe	35
PID 1676 wrote to memory of 1616	1676	svchost.exe	36
PID 1676 wrote to memory of 1616	1676	svchost.exe	36
PID 1676 wrote to memory of 1616	1676	svchost.exe	36
PID 1676 wrote to memory of 1616	1676	svchost.exe	36
PID 1676 wrote to memory of 2460	1676	svchost.exe	37
PID 1676 wrote to memory of 2460	1676	svchost.exe	37
PID 1676 wrote to memory of 2460	1676	svchost.exe	37
PID 1676 wrote to memory of 2460	1676	svchost.exe	37
PID 1676 wrote to memory of 3048	1676	svchost.exe	40
PID 1676 wrote to memory of 3048	1676	svchost.exe	40
PID 1676 wrote to memory of 3048	1676	svchost.exe	40
PID 1676 wrote to memory of 3048	1676	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\cae3912707dd3df2a063865316ff1ef0N.exe
"C:\Users\Admin\AppData\Local\Temp\cae3912707dd3df2a063865316ff1ef0N.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\3582-490\cae3912707dd3df2a063865316ff1ef0N.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\cae3912707dd3df2a063865316ff1ef0N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1532
- - \??\c:\users\admin\appdata\local\temp\3582-490\cae3912707dd3df2a063865316ff1ef0n.exe
    c:\users\admin\appdata\local\temp\3582-490\cae3912707dd3df2a063865316ff1ef0n.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2744
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\at.exe
        
        at 08:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\at.exe
        
        at 08:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cae3912707dd3df2a063865316ff1ef0n.exe

Filesize
925KB

MD5
d95033034e7c450ae00c9955dd0567e2

SHA1
bf8fa6770c480d968a029da34dcc82485c0518bb

SHA256
eeb85f0a9a773e2087238a5bca4c7aec94c113920f582a10114c8ee3e93bf7f4

SHA512
20b5e1e587e95848c445f4c9c9a4fabc67248bf15e094c5e12b284b076196c961fec7e45202a3caa5a5e7dbd98468536ca6dccbe69b576d479fad6273d71b770

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c6c358f57ded736cc5295a9d9127aa85

SHA1
344161a04a263d19d548d8767ce393405bd2a283

SHA256
c7a977174658080b2655e6b68e8c13e91867e0e5e660be5a189f63334fb19e70

SHA512
844595df3cbff3e4f1a62e28b50a43d270e96d919f3970a182a55f8c2f53f50fbc37b1a58ef30e088b66f562dfa28c77aabcbbcd853389f5cf4aee5252db616d

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
5bee690f552a306a507b06e3e996fa11

SHA1
a630316f18b7f2b3ed477dc72d2f6a9e72a86f16

SHA256
ca20ea86f2bfbd7640ffec61dcd3b47dc5d3fa7fd159398a9dc00678b9efed3d

SHA512
af03a87c7a342555fcb6e6fa3b80217afa550c48055730fd58e1e2fb826795c2e0d73f424c2a322509e6fe1c4ffaad28388f50b26cd35f4e2eac813ad8f79be6

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\cae3912707dd3df2a063865316ff1ef0N.exe

Filesize
1.1MB

MD5
3ef849d829aae6fdf88400ae7cace853

SHA1
4cb72de0677ab99e82dd7dc8b4611774148e5f37

SHA256
945358ab8152a35172070d04c013f09b5bb29a2cc22036ef4712bb3031e7caba

SHA512
d0d990e2772d63fe7a32dab16f7b3ee6d539b8e3748d2fc36b3ead55fec1af83f3cff0264f2dd0c54774b6f79ab84df906b043f27552891eaff79e70d15df6e7

Download Submit
\Windows\system\explorer.exe

Filesize
207KB

MD5
914c4a4fc89bcfeb78e489f206677bff

SHA1
32f1b8e539e45fdd3487989c658b15539230def8

SHA256
257c028a041dfaed27a32da392de3ce6419c261c6a2b3ded4be8851ee5fd166c

SHA512
cf77fba4e142525eb268faefd1d590df4d5b273a3c9b85c1863d70c9d0b987493cf3fd6612519e55a5cff2100427ddebfa0719424be52a2b4a9ed1a345e6519a

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
7f12d943a968ddaae326326960002dbc

SHA1
15c5b5fab037135682364a24d75bb832c916c162

SHA256
45712f7971994d87a62335b4ea78779483c42c540901fda17f0fce3f359b598f

SHA512
6af3ba7898bf5cedc3d13f651b8b0eb5bd11f87129d9c5aed3ddc204c18b562f395a376d9d2fd824fa543024e95b25ac50e6197205984a0da0146ab704126019

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
490ff4eb3200387318baaa5de55e71ec

SHA1
2b609959c91d3d7b5b6d465c1a185aa8009d0f0f

SHA256
8dbfdb7953a3ef6e0d1319e1a3dc04b1ba70250163e37eab651189f6c08f86cd

SHA512
690921e6118a4388c8f51a698a21bb39661fe98d850271b61f476203c48635ece58e2760bcfe6948ec7336b2f1263ba11a4a2aa9c0e67c1b849238c515d8dbd5

Download Submit
memory/1532-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-29-0x0000000003360000-0x0000000003571000-memory.dmp

Filesize
2.1MB

Download
memory/1532-30-0x0000000003360000-0x0000000003571000-memory.dmp

Filesize
2.1MB

Download
memory/1532-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-46-0x0000000002730000-0x0000000002771000-memory.dmp

Filesize
260KB

Download
memory/1616-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1676-201-0x00000000004C0000-0x0000000000501000-memory.dmp

Filesize
260KB

Download
memory/1676-200-0x00000000004C0000-0x0000000000501000-memory.dmp

Filesize
260KB

Download
memory/1676-135-0x00000000004C0000-0x0000000000501000-memory.dmp

Filesize
260KB

Download
memory/1676-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1676-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-186-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2416-178-0x0000000002D60000-0x0000000002DA1000-memory.dmp

Filesize
260KB

Download
memory/2416-10-0x0000000002D60000-0x0000000002DA1000-memory.dmp

Filesize
260KB

Download
memory/2416-9-0x0000000002D60000-0x0000000002DA1000-memory.dmp

Filesize
260KB

Download
memory/2416-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-67-0x00000000026D0000-0x0000000002711000-memory.dmp

Filesize
260KB

Download
memory/2716-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-197-0x0000000002730000-0x0000000002771000-memory.dmp

Filesize
260KB

Download
memory/2716-87-0x0000000002730000-0x0000000002771000-memory.dmp

Filesize
260KB

Download
memory/2740-125-0x0000000002730000-0x0000000002771000-memory.dmp

Filesize
260KB

Download
memory/2740-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-126-0x0000000002730000-0x0000000002771000-memory.dmp

Filesize
260KB

Download
memory/2740-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-36-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-187-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-38-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-190-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-191-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-192-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-193-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-194-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-195-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-37-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-35-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-198-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-33-0x0000000000401000-0x000000000043A000-memory.dmp

Filesize
228KB

Download
memory/2744-34-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-32-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-202-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-203-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2744-204-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download