neshta | 4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9eb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
Size

2.9MB
MD5

5bf6ef6ef0aacf53e2fd7d1e4ba4b800
SHA1

265706fad722d650ad668753bfbb28fc66201266
SHA256

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9eb
SHA512

86b03c2eca50ad035fe5f4d26881faaac28bb1b96f104ca91fd429390d7c016b6561a6bbafb37514abbc2e33f64bb00f4959b45be102b10bf3f0e7c34c83f218
SSDEEP

49152:F/Qdykp2boz074d6DAuPBN8+9oDF3fP+UHHgDwxy4Ifz101mH:9webOuAkBN8+CF3fP+sADw84yzH

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0001000000010317-10.dat	family_neshta
behavioral1/memory/2292-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2292-286-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 2 IoCs

Processes:

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exeirsetup.exe

pid	Process
2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
2684	irsetup.exe

Loads dropped DLL 10 IoCs

Processes:

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exeirsetup.exe

pid	Process
2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
2684	irsetup.exe
2684	irsetup.exe
2684	irsetup.exe
2684	irsetup.exe
2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exeirsetup.exe

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File created	C:\Program Files (x86)\ÀÎÁõ¼ º¹»ç\irunin.lng	irsetup.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\Program Files (x86)\ÀÎÁõ¼ º¹»ç\irunin.ini	irsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe

Drops file in Windows directory 3 IoCs

Processes:

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exeirsetup.exe

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
File created	C:\Windows\iun506.exe	irsetup.exe
File opened for modification	C:\Windows\iun506.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exeirsetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Modifies registry class 1 IoCs

Processes:

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid	Process
2684	irsetup.exe
2684	irsetup.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe

description	pid	Process	procid_target
PID 2292 wrote to memory of 2824	2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	30
PID 2292 wrote to memory of 2824	2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	30
PID 2292 wrote to memory of 2824	2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	30
PID 2292 wrote to memory of 2824	2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	30
PID 2292 wrote to memory of 2824	2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	30
PID 2292 wrote to memory of 2824	2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	30
PID 2292 wrote to memory of 2824	2292	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	30
PID 2824 wrote to memory of 2684	2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	31
PID 2824 wrote to memory of 2684	2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	31
PID 2824 wrote to memory of 2684	2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	31
PID 2824 wrote to memory of 2684	2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	31
PID 2824 wrote to memory of 2684	2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	31
PID 2824 wrote to memory of 2684	2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	31
PID 2824 wrote to memory of 2684	2824	4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe	31

C:\Users\Admin\AppData\Local\Temp\4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
"C:\Users\Admin\AppData\Local\Temp\4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\3582-490\4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\irsetup.exe
    C:\Users\Admin\AppData\Local\Temp\irsetup.dat
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DRBIT50\NPKIShare\DBTuning.vshost.exe

Filesize
11KB

MD5
bad0cce707e631722671eb8fd9376e7d

SHA1
265082cc473b84f666b8a9a9b1f747f68cb6a1d4

SHA256
a36878ce723af818246c98ad08e38b83686c7e9267f244d47073ae98fbc57276

SHA512
84a284e51d60384122a5860a07c166e1dbbd3df5539e7939f02ba15bd048c5a53681470843a7c5fe12b4a9c0d73279b2a1ce8e1be0a62f34334fc3401d468a26

Download Submit
C:\DRBIT50\NPKIShare\DBTuning.vshost.exe.manifest

Filesize
490B

MD5
a19a2658ba69030c6ac9d11fd7d7e3c1

SHA1
879dcf690e5bf1941b27cf13c8bcf72f8356c650

SHA256
c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f

SHA512
fa583ba012a80d44e599285eb6a013baf41ffbe72ee8561fc89af0ec5543003ba4165bfe7b1ba79252a1b3b6e5626bf52dc712eacd107c0b093a5a2757284d73

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Program Files (x86)\ÀÎÁõ¼ º¹»ç\irunin.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\ÀÎÁõ¼ º¹»ç\irunin.ini

Filesize
2KB

MD5
abd15d6268f253a710a38c7159bdd969

SHA1
e8df22255b6c876330bc9ae746315b2dfd1a938b

SHA256
73b21d8681071bf512413f2edcba8e5d0f7409605ae2a43500e8c16426cd5482

SHA512
1084805ba7320b8f471a8bad5c65423d9cb877d3fc3464c4c2b3fea605f58eef9f43e80d5c8979e8948a82fdb2ee23ebd116de726a6201de5247731db34dc202

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4740dd4bf9540384d6c683ad082ab8eed9bf94846e57135bb7261c23c0e3c9ebN.exe

Filesize
2.9MB

MD5
a9addc318f993e6caa58ed2fb75c0781

SHA1
1a4772168b943fa7581024287cc8e5f827a0b5fb

SHA256
4b8b6bff91d2d2808a3658d2a5af568186705c6b6d46140812e1540c236226b6

SHA512
261c8f0dac5551c78eac7a4331cfa67e6aa527fe4fa26926bfe9446d48b0fb8234ff3b850c018cc6962861d9948600a31aa20e946856025dfbbb1999c82ec27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
8KB

MD5
4f8c559df29ff69b17fb1045975640e2

SHA1
b9d56635f7e17a334862b31d75adbd717c55a9b7

SHA256
39c0b94210b9fc873cc464dcc6742928b2e86a9a35cb7f1c26806250f26e5b1c

SHA512
1bbfea35b2f92b237b55cbdba2c4e4cd4774f5747ab3f07f68543ae1f877eb967c1c03ac648c96dcfa9bb2c7a3cb7490977246b5d340e5522ab4329058f35004

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
147B

MD5
9f5b0cdbaf47cc4aa293d21f2aab862c

SHA1
aaf923714d8878d390dd453b54132290869cfa3c

SHA256
c9ed72d95f70083544d9314b855f98546ec91dd35fe2124c7ce092c14a53c5dd

SHA512
ca34df46839bcc33f2a612b5701782fb51503b9abbfbc86f0c79889eb1bd85bb433ab6116147f9f4809c79bdaae1caf33153870de7ff08058c3b7a032894ff8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.uni

Filesize
280KB

MD5
28942baedcc3d3cc4f1beb7ec7d34c2b

SHA1
5d5d478bee6754e90aab57df98323eea1a2691ce

SHA256
34c7002e6dc8ecabb5aa37dd6baae7cd58efdb7ecd442266cceb5249e8c8de90

SHA512
5754dba5ac7eff59622efffee9799faf078504d8258fd2e6f12b295c715eb0e4a8d77981c958dd6453a26a1968ec9c2ac2496eeee369991a022f7dd8b446a454

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf5lng.0

Filesize
8KB

MD5
f3fa2d7e4c362a2a17fa0a27bb6e38e0

SHA1
62b4632747a2258950acdfff0b94418568744852

SHA256
b6f5d2fe874153e7699e01dde9e097cc8e71da0fef400be256ba8569e36af75d

SHA512
fdfa7b5156ee962e7815e5489ab16dea1485978e287aa52ca82b1c96310cc4ea65903ac296922b0bbcabdbe927bea0c0a89f82576f614eaca3a5fd05aa8e76c0

Download Submit
\DRBIT50\NPKIShare\NPKIShare.exe

Filesize
27KB

MD5
ddb84356178a6f305b089659cff2e926

SHA1
5d2470491708b452b4e6011dd324044561f6ab43

SHA256
b439daad6328e408bb9c254f0e567f19855d482ad0b484eddf9d3a615c6ea681

SHA512
7b8f87cc74f54be4aeff0b3c0a6c30c8c669d7accea57453a9c5b39d28707a1ac76836879742c8b2d9eb8db58da89c7c2967adf9b5c317bd1f5b7a53a2542930

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
380KB

MD5
6ed2665cc67db8f54aef0e885baf5cb7

SHA1
47d60c9aeb2f0d2dc25b17ed97b5e33c3e1d9f86

SHA256
d838ea3895116563b069d7c23b2168d6ee73f1e947418ff8c835d3f69ba2273c

SHA512
802db841c0f37cccedf62e4380f10cd77e1b8279f8c5436c1d3352f77c878267c0901a0b313ab7ecbe85ab09e216f98ca4bf67fba40e1144b19c8c75a4454cce

Download Submit
memory/2292-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2292-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download