neshta | 38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffd

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
Size

143KB
MD5

2700f614df8e9a3ab8a60208d7683470
SHA1

874283cd1a970603d570c790c0d5bac790134a0a
SHA256

38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffd
SHA512

6706633c1125da81f4ca5e7b91b9f39aba720bf6f0fef7da4aa34edeaae476d8d6697b4570e82336f7c20ed5d5350ebb3fe08205022403d9cb5631bc0e1af15c
SSDEEP

1536:JxqjQ+P04wsmJCeNancU5yXFCljSRVBXLYXzXwl4ePTmCgaHVBXLYXzXwl4ePZAD:sr85CeNantnJSTB8DApbmA1B8DApgN6u

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-11.dat	family_neshta
behavioral1/memory/2224-193-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2224-195-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 1 IoCs

pid	Process
2504	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe

Loads dropped DLL 3 IoCs

pid	Process
2224	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
2224	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
3028	dw20.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2504	2224	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe	30
PID 2224 wrote to memory of 2504	2224	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe	30
PID 2224 wrote to memory of 2504	2224	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe	30
PID 2224 wrote to memory of 2504	2224	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe	30
PID 2504 wrote to memory of 3028	2504	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe	31
PID 2504 wrote to memory of 3028	2504	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe	31
PID 2504 wrote to memory of 3028	2504	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe	31
PID 2504 wrote to memory of 3028	2504	38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe	31

C:\Users\Admin\AppData\Local\Temp\38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
"C:\Users\Admin\AppData\Local\Temp\38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\3582-490\38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1176
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
521e8d75cb017a13f678d8e5ce741293

SHA1
b8103b6e10473773e4c995e23940eea6bb51315e

SHA256
0978ecaeefe4c0fe892c6029f73251f5f3f87024bd2684d7360824e05415d21a

SHA512
4c8dc2f38ccd3e6d9bb9668735bf8086bf19e78d8f7b6705cc02e30e7fa29104ea9a85f42ad3afbb970da8badc6b0b80aaeee2f8779db3388a396de44309ac5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC12F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC151.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\38708974d2c243736861ba05f2a09cd6d0117cb11d3a507f6d60ebfde2400ffdN.exe

Filesize
103KB

MD5
e2855b980a3ce3fcb33ee11009b9fe8e

SHA1
f32d3503057d2c36fad2c582d631cfacb94b6b7a

SHA256
9eb3dd4093ad1a19c13739d1aa19765cae90ee9730d8a08ece039248b5144cd4

SHA512
56532a45eab2b3f90e932c14e15db6001e35b901871c696436249af5f631f775b6fd68130927020589cc31e9dc9a82764f268a0ef2b92cc61a8e9b7d20afc293

Download Submit
memory/2224-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2224-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2504-12-0x0000000073FF1000-0x0000000073FF2000-memory.dmp

Filesize
4KB

Download
memory/2504-13-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-14-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-192-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads