asyncrat | b14613da1af90d6b88d2d62240b055f861b397529aeba63708586f3c25289aea

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/10/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
Size

279KB
MD5

eb5c04fcf61f943270e9a73d72a4bb53
SHA1

5a5d57cafdad9b8aee9dd6967a00a0aa228d4f08
SHA256

b14613da1af90d6b88d2d62240b055f861b397529aeba63708586f3c25289aea
SHA512

08c3d7c00516a8ff1136b5c52bda1c22fd018e4f0497a5cd69d92a66a437bcd0c6e9b1494d292a78fbaf4f26a1a69e864b5229377622fab037b30b669fc8c5e0
SSDEEP

3072:sr85CtTF9Kw/kxLk42s/8Y31/Yvi9GA54IkMwP5gMTmmsolNIrRuw+mqv9j1MWLo:k9tTF9KxLp8YFgvwmZrTmDANm9zHMU

Score

10^/10

asyncrat neshta default discovery persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

54.253.7.109:4447

Mutex

XqcNee3124zJ

Attributes

delay
21
install
true
install_file
service.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Neshta payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-11.dat	family_neshta
behavioral1/memory/2856-87-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2856-90-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0008000000016d2e-93.dat	family_neshta
behavioral1/memory/2932-105-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2036-14-0x0000000000360000-0x0000000000372000-memory.dmp	family_asyncrat
behavioral1/memory/536-111-0x0000000000330000-0x0000000000342000-memory.dmp	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
2932	svchost.com
536	service.exe

Loads dropped DLL 3 IoCs

pid	Process
2856	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
2856	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
2288	cmd.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1832	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
Token: SeDebugPrivilege	536	service.exe
Token: SeDebugPrivilege	536	service.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2036	2856	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	31
PID 2856 wrote to memory of 2036	2856	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	31
PID 2856 wrote to memory of 2036	2856	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	31
PID 2856 wrote to memory of 2036	2856	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	31
PID 2036 wrote to memory of 2932	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	33
PID 2036 wrote to memory of 2932	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	33
PID 2036 wrote to memory of 2932	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	33
PID 2036 wrote to memory of 2932	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	33
PID 2036 wrote to memory of 2288	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	34
PID 2036 wrote to memory of 2288	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	34
PID 2036 wrote to memory of 2288	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	34
PID 2036 wrote to memory of 2288	2036	2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe	34
PID 2932 wrote to memory of 2964	2932	svchost.com	36
PID 2932 wrote to memory of 2964	2932	svchost.com	36
PID 2932 wrote to memory of 2964	2932	svchost.com	36
PID 2932 wrote to memory of 2964	2932	svchost.com	36
PID 2288 wrote to memory of 1832	2288	cmd.exe	38
PID 2288 wrote to memory of 1832	2288	cmd.exe	38
PID 2288 wrote to memory of 1832	2288	cmd.exe	38
PID 2288 wrote to memory of 1832	2288	cmd.exe	38
PID 2964 wrote to memory of 1332	2964	cmd.exe	39
PID 2964 wrote to memory of 1332	2964	cmd.exe	39
PID 2964 wrote to memory of 1332	2964	cmd.exe	39
PID 2964 wrote to memory of 1332	2964	cmd.exe	39
PID 2288 wrote to memory of 536	2288	cmd.exe	40
PID 2288 wrote to memory of 536	2288	cmd.exe	40
PID 2288 wrote to memory of 536	2288	cmd.exe	40
PID 2288 wrote to memory of 536	2288	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "service" /tr '"C:\Users\Admin\AppData\Roaming\service.exe"' & exit
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn service /tr '"C:\Users\Admin\AppData\Roaming\service.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn service /tr '"C:\Users\Admin\AppData\Roaming\service.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4125.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1832
  - - C:\Users\Admin\AppData\Roaming\service.exe
      "C:\Users\Admin\AppData\Roaming\service.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4125.tmp.bat

Filesize
151B

MD5
6ee2cc56ecf5a67cbe1719addac78de5

SHA1
2cc9f4769d1e93310ee0baf46ad9cb4fc808b6a1

SHA256
1be1db5bd7e372c3cdde24664b5bc816959372bc58f40bc2ecd72cda83daf6f2

SHA512
52fded295edf7b4fcadfc7845abcbc8812b3ee87124f2ac5a0d340f6b07967bea50ea0581ddb83159013f68f7397c09556a575d616c6da0e2f82ac6c7a426bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
eefacb727846c2054f80d6c25aaf336e

SHA1
2e875472ed3971a7ee17027bbd3a3280b0ddf885

SHA256
a840cdad47c73e7924cfae0366026ce8130906fd45b761fd496208aaa32f96c1

SHA512
ac16ad25f1a301f53b82135294d9b9858d39b8f73e7c3ed7549f9a17fd154f14dd044d66c4b025888f8736e21a5b4f991cedb424cb6957d9ee8dbb64ab3326b8

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8fa91495aa472bea34f0746d9d8afa41

SHA1
a76f8c6827049cd9463f807d669da38a4fe29cb8

SHA256
81325e9702d79b2844cddc4b9215241d80017e91fc35d97ae6a4c0a247a989de

SHA512
d2986a7edb0cabfb96969a42e00d1764bc50e9f570cb98f69f6dd16aa41dffb0215d12efb8cab23f79b7731255850fdcc1a7a7bd837f44c1158be34c7f1736f6

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2024-10-21_eb5c04fcf61f943270e9a73d72a4bb53_hiddentear_neshta.exe

Filesize
238KB

MD5
9d1e589ea8c4b3c59d3fb46afa940da5

SHA1
817bf841284e0279d15cb27f73a0939344dfb811

SHA256
9164f89ff66d0726e661c46dbafabf82c477a61b6d9a231170fd26910997c8ed

SHA512
a7db38a58cf9580c987fe6c3293dc279a67458850862d86d0cc60fb7c9213bf92311be2a8ac44ae055fd24619df8f76d33f32835a254d386e4e53e2602d63ac2

Download Submit
memory/536-110-0x0000000000F10000-0x0000000000F52000-memory.dmp

Filesize
264KB

Download
memory/536-111-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2036-13-0x0000000000F80000-0x0000000000FC2000-memory.dmp

Filesize
264KB

Download
memory/2036-88-0x0000000073D0E000-0x0000000073D0F000-memory.dmp

Filesize
4KB

Download
memory/2036-14-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2036-12-0x0000000073D0E000-0x0000000073D0F000-memory.dmp

Filesize
4KB

Download
memory/2856-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2856-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2932-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download