neshta | fb011da84d2d5b2c34db541a123740541b475473372f34c3a089a868c917ab4d

Analysis

max time kernel
128s
max time network
132s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-10-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe
Size

357KB
MD5

6bf7f042a995443f9c0204f536a0b357
SHA1

791aba517575efe40ef456b4c07841e1ece3a98a
SHA256

fb011da84d2d5b2c34db541a123740541b475473372f34c3a089a868c917ab4d
SHA512

a1d739a08bd521ee599596d8121eb7c4e345a68a78334c3117a43b68dfeb8c95087dec479468018813ed9042368748cc651cf8027c037b8f69c942da8a089a44
SSDEEP

6144:g0ml6Qq/6mHztA93ZhbpmI0i3jraPUOV5bYsTar0vZ9fcvAHfJyFQq/CN:S0j2XpKPx1o0vYqJqKN

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016276-17.dat	family_neshta
behavioral1/files/0x0007000000016c36-34.dat	family_neshta
behavioral1/files/0x001400000000f842-59.dat	family_neshta
behavioral1/files/0x005b00000001032b-58.dat	family_neshta
behavioral1/files/0x0001000000010318-61.dat	family_neshta
behavioral1/files/0x0001000000010316-60.dat	family_neshta
behavioral1/files/0x000100000000f7cf-72.dat	family_neshta
behavioral1/files/0x000100000000f77b-70.dat	family_neshta
behavioral1/files/0x000100000000f7dd-69.dat	family_neshta
behavioral1/files/0x000100000000f7d8-68.dat	family_neshta
behavioral1/files/0x000100000000f708-77.dat	family_neshta
behavioral1/files/0x000100000000f832-78.dat	family_neshta
behavioral1/files/0x000100000000f877-82.dat	family_neshta
behavioral1/files/0x000100000001036a-89.dat	family_neshta
behavioral1/files/0x0001000000010c16-90.dat	family_neshta
behavioral1/files/0x0001000000010f34-94.dat	family_neshta
behavioral1/files/0x0003000000012143-105.dat	family_neshta
behavioral1/files/0x0003000000012148-109.dat	family_neshta
behavioral1/files/0x000100000001144d-135.dat	family_neshta
behavioral1/memory/1916-137-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010f51-151.dat	family_neshta
behavioral1/files/0x000100000001128c-164.dat	family_neshta
behavioral1/files/0x0001000000011b5e-163.dat	family_neshta
behavioral1/files/0x0001000000011b23-160.dat	family_neshta
behavioral1/files/0x0001000000011879-145.dat	family_neshta
behavioral1/files/0x00050000000055e5-181.dat	family_neshta
behavioral1/files/0x000300000000e705-183.dat	family_neshta
behavioral1/files/0x000400000000572d-184.dat	family_neshta
behavioral1/files/0x0003000000005abd-185.dat	family_neshta
behavioral1/files/0x000d0000000056db-188.dat	family_neshta
behavioral1/files/0x000b000000005990-189.dat	family_neshta
behavioral1/memory/2704-191-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2732-190-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2732-193-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2704-196-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

server.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\svhost.exe"	server.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 7 IoCs

Processes:

BOSS.Installer.exesvchost.exesvchost.exesvchost.comserver.exesvchost.comSTEAMW~1.EXE

pid	Process
1736	BOSS.Installer.exe
2732	svchost.exe
2752	svchost.exe
2704	svchost.com
2820	server.exe
1916	svchost.com
1440	STEAMW~1.EXE

Loads dropped DLL 15 IoCs

Processes:

6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exeBOSS.Installer.exesvchost.exesvchost.comsvchost.com

pid	Process
2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe
1736	BOSS.Installer.exe
1736	BOSS.Installer.exe
1736	BOSS.Installer.exe
2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe
2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe
2732	svchost.exe
2704	svchost.com
2704	svchost.com
2704	svchost.com
2732	svchost.exe
2732	svchost.exe
1916	svchost.com
2732	svchost.exe
2704	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

STEAMW~1.EXE6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exeserver.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\steamwebhelper = "C:\\Users\\Admin\\AppData\\Roaming\\steamwebhelper2\\steamwebhelper.exe"	STEAMW~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HMBKLANGIOHIFFB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HMBKLANGIOHIFFB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe"	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Windows\\svhost.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\steamwebhelper = "C:\\Users\\Admin\\AppData\\Roaming\\steamwebhelper2\\steamwebhelper.exe"	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exesvchost.com

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	svchost.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	svchost.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.exe

Drops file in Windows directory 7 IoCs

Processes:

svchost.exesvchost.comserver.exesvchost.com

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\svhost.exe	server.exe
File opened for modification	C:\Windows\svhost.exe	server.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.comSTEAMW~1.EXE6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exeBOSS.Installer.exesvchost.exesvchost.exesvchost.comserver.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STEAMW~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOSS.Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Modifies registry class 1 IoCs

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exeSTEAMW~1.EXE

pid	Process
2752	svchost.exe
1440	STEAMW~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exeSTEAMW~1.EXE

description	pid	Process
Token: SeDebugPrivilege	2752	svchost.exe
Token: SeDebugPrivilege	1440	STEAMW~1.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

server.exe

pid	Process
2820	server.exe
2820	server.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exesvchost.exesvchost.comsvchost.exesvchost.com

description	pid	Process	procid_target
PID 2320 wrote to memory of 1736	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	31
PID 2320 wrote to memory of 1736	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	31
PID 2320 wrote to memory of 1736	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	31
PID 2320 wrote to memory of 1736	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	31
PID 2320 wrote to memory of 1736	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	31
PID 2320 wrote to memory of 1736	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	31
PID 2320 wrote to memory of 1736	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	31
PID 2320 wrote to memory of 2732	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	32
PID 2320 wrote to memory of 2732	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	32
PID 2320 wrote to memory of 2732	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	32
PID 2320 wrote to memory of 2732	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	32
PID 2732 wrote to memory of 2752	2732	svchost.exe	33
PID 2732 wrote to memory of 2752	2732	svchost.exe	33
PID 2732 wrote to memory of 2752	2732	svchost.exe	33
PID 2732 wrote to memory of 2752	2732	svchost.exe	33
PID 2320 wrote to memory of 2704	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	34
PID 2320 wrote to memory of 2704	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	34
PID 2320 wrote to memory of 2704	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	34
PID 2320 wrote to memory of 2704	2320	6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe	34
PID 2704 wrote to memory of 2820	2704	svchost.com	35
PID 2704 wrote to memory of 2820	2704	svchost.com	35
PID 2704 wrote to memory of 2820	2704	svchost.com	35
PID 2704 wrote to memory of 2820	2704	svchost.com	35
PID 2752 wrote to memory of 1916	2752	svchost.exe	36
PID 2752 wrote to memory of 1916	2752	svchost.exe	36
PID 2752 wrote to memory of 1916	2752	svchost.exe	36
PID 2752 wrote to memory of 1916	2752	svchost.exe	36
PID 1916 wrote to memory of 1440	1916	svchost.com	37
PID 1916 wrote to memory of 1440	1916	svchost.com	37
PID 1916 wrote to memory of 1440	1916	svchost.com	37
PID 1916 wrote to memory of 1440	1916	svchost.com	37

C:\Users\Admin\AppData\Local\Temp\6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bf7f042a995443f9c0204f536a0b357_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\BOSS.Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\BOSS.Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\STEAMW~1\STEAMW~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Users\Admin\AppData\Roaming\STEAMW~1\STEAMW~1.EXE
        
        C:\Users\Admin\AppData\Roaming\STEAMW~1\STEAMW~1.EXE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    C:\Users\Admin\AppData\Local\Temp\server.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
831270ac3db358cdbef5535b0b3a44e6

SHA1
c0423685c09bbe465f6bb7f8672c936e768f05a3

SHA256
a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

SHA512
f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
569KB

MD5
eef2f834c8d65585af63916d23b07c36

SHA1
8cb85449d2cdb21bd6def735e1833c8408b8a9c6

SHA256
3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

SHA512
2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
373KB

MD5
2f6f7891de512f6269c8e8276aa3ea3e

SHA1
53f648c482e2341b4718a60f9277198711605c80

SHA256
d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86

SHA512
c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
571KB

MD5
d4fdbb8de6a219f981ffda11aa2b2cc4

SHA1
cca2cffd4cf39277cc56ebd050f313de15aabbf6

SHA256
ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b

SHA512
7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
3f67da7e800cd5b4af2283a9d74d2808

SHA1
f9288d052b20a9f4527e5a0f87f4249f5e4440f7

SHA256
31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

SHA512
6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE

Filesize
188KB

MD5
92ee5c55aca684cd07ed37b62348cd4e

SHA1
6534d1bc8552659f19bcc0faaa273af54a7ae54b

SHA256
bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531

SHA512
fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE

Filesize
433KB

MD5
c01a069ffe7075dba652a2e2e0672fd2

SHA1
36ff9b17d3a6093646a4427cd13a017d14a49120

SHA256
d47f4061dd98c1b701058b8f8c96c64613393fa59de6d3f79ad88768eb283519

SHA512
509732485f4d95dffb424b6d6c4672e7b203defa05393296b771c766b926e381dd88c0a8017a56269e953489bebe8cd3c32a9801f47fbc9bba57b3da13b5d4dc

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

Filesize
144KB

MD5
a2dddf04b395f8a08f12001318cc72a4

SHA1
1bd72e6e9230d94f07297c6fcde3d7f752563198

SHA256
b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

SHA512
2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE

Filesize
606KB

MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE

Filesize
1.8MB

MD5
fc87e701e7aab07cd97897512ab33660

SHA1
65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

SHA256
bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

SHA512
b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

Download Submit
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE

Filesize
1.5MB

MD5
361e4d0109807311ec8d055a2752da45

SHA1
d5d9a8e4d0dd912e391c304766b49ef7ff839acb

SHA256
f393234dadf9221f87711c11f39323b0db4c6ba4311ce9008e5251f8c55eb746

SHA512
2ba3a7f12620a381a311efd69f2fbeb625e3483d4b9efaae7098269e13ddfed1d1a254356cd385d76b5032f52587e3a2b81cf4a4b9857a9478dced566e539e99

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
cc5020b193486a88f373bedca78e24c8

SHA1
61744a1675ce10ddd196129b49331d517d7da884

SHA256
e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a

SHA512
bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
24179b4581907abfef8a55ab41c97999

SHA1
e4de417476f43da4405f4340ebf6044f6b094337

SHA256
a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7

SHA512
6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
06366e48936df8d5556435c9820e9990

SHA1
0e3ed1da26a0c96f549720684e87352f1b58ef45

SHA256
cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612

SHA512
bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOSS.Installer.exe

Filesize
8KB

MD5
03d50171bffb274fc20ed2cfe4cb979a

SHA1
814ee88831b4423e5cce826db38499b73816af8c

SHA256
1311d08b756af45b34adacd29e86d6c3ebf73be1656b6255b49dccc9b19ccd4f

SHA512
697f89b41cf689a73060477ae3599955f40de7f0780d8809fca6e5e1745d471960faaf961abeb31af96eaa712fb9f6f323bcde103f0143a66a5cd08d21bdbfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
60KB

MD5
a4aaf19df5761408f6d0035838a413ef

SHA1
d2edde3476d508f64977fdabb6052bf3a6884f65

SHA256
b5301a092b889bf7f8dff2f14fc746c48b62ec46e99842eff7748048ac1f32fa

SHA512
7ca77c3c86a95c770759fb129a1c18726f1c186bc9543b12b97c36b829cad55325243d491845809e240d6ab4a75b29462a918e9f48eafd73e8a37b5ce82657b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
540KB

MD5
be42b245545f1df1a688cff8ad8e5d93

SHA1
431af3f2655e3061400f905e4e12e0ef7b5da0a9

SHA256
ff0509c47915e7bd8992910eb2caf9bbba51821fc9c7e266f379f52115c2f6f3

SHA512
c7c721df24978fc8bcf20eb0c4254239c83a7129d7c8530831b74a56404251235ac033f9faf70f8d496c1546f13531050d58fd66cb3f1390bf7ec084c01c4153

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
17b86b2276d8a8abd2419dfdd83fa889

SHA1
4029e862f64cd866fb463b6932dd14c9a42f2235

SHA256
686f6790f499cdf10a9f6333bf1ffa3debe54e45ca6089a0905cf8a884b13ffe

SHA512
9cc98766d5fb961880de2fed04f0bec45d0e89b8752b491457f7bd01f4f77525784935618da941bbe1270c18d3de67a2f5bfe25b2056e2ac827a529518a568e6

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
5094124ea58ec1e78f7b2de765099794

SHA1
2b3275853d420777433c9dd28b20eebbc86c4cf1

SHA256
ca772a1ed330590872133a485e73366fc1ba15cd3456fa6b53396c925389b727

SHA512
6a7849286d19755a2a068bb52e1b908c57e2843a6420a609b7d3575a90fef28dbedb30718031df034398c184fc4c5f54986d26f394ce73293951a4aef4e7d32f

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
6553b54fc67ecaa29477dd24facb8c79

SHA1
2f5f18aa8af1883690db876f35e0ea7c75a247f6

SHA256
e77d24502ba20a8ad96ac60543eb4ba5b71ab5f17d7acdeab2a2e5611f67c0d3

SHA512
fd7d94cbb5525286bcaab6dd75256414c9228ff4e4fa6b7c15d16bb155cd227ac79cdbf6e36c9330ac98f8a4542225c2e8b5ee06ae6dd21fccd512f1799982a6

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\svchost.exe

Filesize
499KB

MD5
82be02f0171ee399086267c639e729b9

SHA1
10652743ae17360ad5556ea6dc0829388bfadfc2

SHA256
3cf36717b14d321414fb4f0c9bf864ae39328fc8ddc94410c7660054e927d34e

SHA512
f150ef1ad0c670a052a0cfbef70445e673696f0767e9ce5047051e6adccaf1ce30039a8ee8147aa8b820e02b784cfd68f2ee1823907e225bd7b518d167117a46

Download Submit
memory/1440-132-0x00000000003F0000-0x0000000000472000-memory.dmp

Filesize
520KB

Download
memory/1916-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2704-191-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2704-196-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2732-190-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2732-193-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-63-0x0000000000340000-0x0000000000378000-memory.dmp

Filesize
224KB

Download
memory/2752-64-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2752-62-0x0000000001270000-0x00000000012F2000-memory.dmp

Filesize
520KB

Download