neshta | b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
Size

4.4MB
MD5

da552cc406065402eaeed7a88844402a
SHA1

99d7c24733145a4b53e6880475a6f2e34f334541
SHA256

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c
SHA512

ebb3e5e451a3f35af90d3753481d8d8c23865c477447e6945f2f063a471a5b88d9bb7e566f4a2230bf3471f29449bb5600cd74cf01ee5f3542052f59d57dd534
SSDEEP

98304:USiTxGR41OqBO6DLg1fFhywe46xlOhBx3cOAO2+DidXvh6d204OOR5qC6:25OqBBs19hm46MFA4gJ6M8YY7

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0006000000020237-22.dat	family_neshta
behavioral2/memory/3512-103-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3512-107-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3512-111-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000100000001dbf2-406.dat	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

Executes dropped EXE 3 IoCs

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exeb448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmpnexusfile.exe

pid	Process
3164	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
2404	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
1016	nexusfile.exe

Loads dropped DLL 1 IoCs

Processes:

nexusfile.exe

pid	Process
1016	nexusfile.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nexusfile.exe

description	ioc	Process
File opened (read-only)	\??\D:	nexusfile.exe

Drops file in Program Files directory 64 IoCs

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmpb448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exenexusfile.exe

description	ioc	Process
File created	C:\Program Files (x86)\nexusfile\lang\is-1GGDR.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\gray\is-ES5CT.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\Program Files (x86)\nexusfile\unins000.dat	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-F8H1G.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\gray\is-C3F5U.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\black\is-R9NHA.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-3HS1U.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\lang\is-0GH5H.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\Program Files (x86)\nexusfile\Ark32.DLL	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\userdata\nexusfile.col	nexusfile.exe
File created	C:\Program Files (x86)\nexusfile\skin\black\is-AQ3BP.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-O0J01.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File created	C:\Program Files (x86)\nexusfile\is-46F8V.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\colors\is-NRPDL.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-HLEQD.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File created	C:\Program Files (x86)\nexusfile\lang\is-US87B.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-DCC8Q.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-KBTQ1.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File created	C:\Program Files (x86)\nexusfile\default\is-LIPNP.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\Program Files (x86)\nexusfile\userdata\nexusfile.col	nexusfile.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File created	C:\Program Files (x86)\nexusfile\default\is-4F7HH.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\lang\is-SF7BV.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\black\is-P4CR8.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\is-5BHLD.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\gray\is-P1F82.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\black\is-K85NL.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\gray\is-IAA3G.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File created	C:\Program Files (x86)\nexusfile\skin\black\is-IOGGN.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\black\is-RP3OL.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-3JQBN.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File created	C:\Program Files (x86)\nexusfile\lang\is-2NEGM.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\userdata\treeexcludes.ini	nexusfile.exe
File created	C:\Program Files (x86)\nexusfile\lang\is-J3M8S.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
File created	C:\Program Files (x86)\nexusfile\is-KPP0M.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\gray\is-6MTMC.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-H2RVA.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-1NL33.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\classic\is-S9FKA.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\gray\is-AGJ8D.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File created	C:\Program Files (x86)\nexusfile\skin\gray\is-I2F2A.tmp	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

Drops file in Windows directory 1 IoCs

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exeb448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exeb448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmpnexusfile.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nexusfile.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nexusfile.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	nexusfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	nexusfile.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	nexusfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	nexusfile.exe

Modifies registry class 1 IoCs

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmpnexusfile.exe

pid	Process
2404	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
2404	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
1016	nexusfile.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp

pid	Process
2404	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

description	pid	Process	procid_target
PID 3512 wrote to memory of 3164	3512	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe	84
PID 3512 wrote to memory of 3164	3512	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe	84
PID 3512 wrote to memory of 3164	3512	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe	84
PID 3164 wrote to memory of 2404	3164	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe	85
PID 3164 wrote to memory of 2404	3164	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe	85
PID 3164 wrote to memory of 2404	3164	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe	85
PID 2404 wrote to memory of 1016	2404	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp	101
PID 2404 wrote to memory of 1016	2404	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp	101
PID 2404 wrote to memory of 1016	2404	b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp	101

C:\Users\Admin\AppData\Local\Temp\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
"C:\Users\Admin\AppData\Local\Temp\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\3582-490\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Users\Admin\AppData\Local\Temp\is-VHMPQ.tmp\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-VHMPQ.tmp\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp" /SL5="$70114,3678960,780800,C:\Users\Admin\AppData\Local\Temp\3582-490\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Program Files (x86)\nexusfile\nexusfile.exe
      "C:\Program Files (x86)\nexusfile\nexusfile.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Program Files (x86)\nexusfile\cl32.DLL

Filesize
1000KB

MD5
e2c24bfef243ba51ea21669906fbe6c5

SHA1
f2af98e50f43e57989fa499888b3f32c7da9fb4d

SHA256
0cb909be74c2b67ab629d3be60cdc0011cd73c90bb3977ea60362d54966bb0c2

SHA512
13acb6a050f9c5559ec54f276f9e74c4e83b45d5523b75ee19da54ab6328071314ad38967c62d82edd3574d9c8c296ba2a2bb9ef5592a4eddd95bbe0b70f0f8a

Download Submit
C:\Program Files (x86)\nexusfile\default\nexusfile.col

Filesize
2KB

MD5
688aefde2af89d8b845b41439ea209aa

SHA1
93c40eeb0bf6efe2623603deb513d251d10c5399

SHA256
b609a8f5611d13ccf699eae2c5155a49353d90608e415693f88bb39eb12712ae

SHA512
abafa0bd803fe1f17222a50530322f611ebe9d1e56a07f9e3133df7a75fd2f2878912f28f247337d6c79779c059c280487710ab11e6b63b847c106cf9f008f4f

Download Submit
C:\Program Files (x86)\nexusfile\default\nexusfile.ini

Filesize
3KB

MD5
0962aa191bbad38be5db422f505d5006

SHA1
bd27215d5ce1ba49b06ecace615f445299d16080

SHA256
d34a3e82253018c6b1fb992c80212fe749f9a2486bcbc86f8b3eea63341e9994

SHA512
18f919362cdab2a419f69c8f3544ee5371d1ea825d866b9d2d84b0d09ad7fd15712dd9e59a973b96776d82cf7aa4aa7e3cb3d09639f1e1ed10ce75a27f1ead03

Download Submit
C:\Program Files (x86)\nexusfile\default\toolbar.xml

Filesize
1KB

MD5
f44bdbdda00062ef48d1fdb68c063048

SHA1
f151834ec31565f4618a5f60131ea861d8304d77

SHA256
bd87a7fc89306b3af73fb5186d2ce29bea9d7563b03dadf02ad0545282945dfe

SHA512
faf821f3474ee24a9d469c5b03940001a9fe45f89287b19cd42ff4c32e10645dfe609ebeea65dcf5765d211a211583beac11dc72037c3cfab1699b3955590134

Download Submit
C:\Program Files (x86)\nexusfile\default\treeexcludes.ini

Filesize
448B

MD5
934b7428b4be5420322264709b78a2f9

SHA1
117fc1bd2996a2b5e40b77af07fcfe773960388a

SHA256
3c737823f0eb6d87e99b92fecd9aa6229397a989cadc70841bbb892a08618143

SHA512
19d4d12069d9d7ed1689178a6f65a4015f1cd70a7872fe16940f24f92368e362e9b19a409d8eac89338c76f90b6068964efe000f3622009fb62f197da8618345

Download Submit
C:\Program Files (x86)\nexusfile\lang\en.lang

Filesize
32KB

MD5
a9fd6c45add0d5f14d3212571de8507a

SHA1
3ebd0a09bb7fb5d063ced50eabf8393702e40dd3

SHA256
a620e9587000d0979115e7772de78c66ac28b30783089decde8697850e82294f

SHA512
2898e6cc7fca63070dc9216f54b55838b48a8cbd2f2c8322d138ca5c05845ab19ffb5321497e6e7d14347c0231990cfca3337cc9289b875603b087c46f6610ea

Download Submit
C:\Program Files (x86)\nexusfile\nexusfile.exe

Filesize
6.4MB

MD5
601cf1635431c7ec5902f10bf9fb2837

SHA1
53f59a6528e8673b0c076e39fb1b19e52ea6275a

SHA256
86d6da3d0c07e51dacb592b2089d577150bc5cad2936ad9655c87b9b86aa674c

SHA512
0e0093d8ebf6b06b49e68ee70e31f7ca3a90794b01e43e79650753e48511c3d957bdbd2ffa3025cacd525b5699fe019ec578b78cdea354ec8d231672fdfc9509

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\addressbtns.png

Filesize
3KB

MD5
2cbfeefee4676fefc1875433063566c2

SHA1
13cb4cc34f25b60132230f5ccebab67e7e31b9f5

SHA256
86d609c62bd161f68b1ac3dd6bd5027946f41e9022958d2032a0ef7830702d18

SHA512
3bd45e3d2529397e1265eabf4ca5ac211d3653f866e7e80b0d489ec9980e9a4a02aca52c8c55c09f69f8e457404568cca3d5e0bafabe78b38831676533e2bdd6

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\btnbar_back.bmp

Filesize
760B

MD5
7d6090e9d9f5ceea7d543d0d8116c20f

SHA1
e5e6cfccf5d4ad3aeaa3d4a5413b8dc9aa6a820a

SHA256
b7bd0da743b74c57333b3cc1c52a036c6ef2eed3e6dcae2f3f6e91cf65078f04

SHA512
52d812a0f45c5106c521b81014dad42f7a217f0f6e885d88b2884b7524fcca32b391f4e0c817e43ec7eb51ecb11c7bcaf7f07e061ff4673e4d6b09e9069d080e

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\btnbar_divider.bmp

Filesize
112B

MD5
fbe42c5da9a991b8f131463523fec5f8

SHA1
241d29a3d23e6668efec2792a09d08e5092f42be

SHA256
6633fca21dbfe03bae3526ff6a6e46a4d8b9fed7c180fc24f85c9bb2b22b6976

SHA512
025fe0eced405d74d90373caa8a18741af421eb312f36ef5a9c05d0f5dfc14ec04e0edeb202647298b17aa49dc80511c1637a47f86ba6302615429f31f349cff

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\conf.ini

Filesize
1KB

MD5
a00a5cdddd553623d77360370607b824

SHA1
8f7b5fa307de80e90236bba01fe3506399501bd2

SHA256
4a0f6c667ec16b21b2b6e5b3e845504d7fa3deb1d75c4bdc2684dad95b7f3389

SHA512
a8d43f05c21407ee2c8ce01ad885095e299523d113f99e80fc9289ce2af8cda93ceef098765fbf3cb01e4d7308a76460b52226403f01fbff90c1fbaf2c030af2

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\scroll_bg.png

Filesize
2KB

MD5
9b1c0a63f055f4f9a0bdcfdb16586a37

SHA1
28a84332face02472b83df965ef85b1ff91df78c

SHA256
1256288d52d23960033cf13771ede111608a919bc5efa42926c4d113379b3413

SHA512
0fb5028dd43a4cfbd677121cb46732035f38072534dcc5811166726a963a368b59d4b374d50229a903126f30250ed618842d12a5b566d7f025e2a5cd3fbfa7f6

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\scroll_btn.png

Filesize
2KB

MD5
96704b829ea88ab2b2939aacd9110c04

SHA1
dab19726e9f195c0d9e131e491ade2763e95f533

SHA256
ddee92ff15f582b7df404b13e4845ff68fd02fe3240d4b3c4bceaa8b4541b9cb

SHA512
1b92513f80a9a24f78f5c2d6c2f3a8c628e227f7d42d9848032d54011c966931b886e3d3b2fb11d2fb1b4ec6d301e74700c3c8279dfca64126eb1008b06925b4

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\scroll_thumb.png

Filesize
2KB

MD5
450bd074c5e7608ed00fcd9b99d3ed29

SHA1
df389833074ce8ec69a26f331f35db03170fbdc8

SHA256
1338ca1ca185a02b84d0a54515b8a7c4c50cff0af2a890cebd54b27a644bc331

SHA512
285f32877dc2820943411e5079f1367f807cd9adf016a3bfd3240adcba77fad2ae133f01353badf8c370a3828c94d0796e415673b9d2061d7d91b558fe083978

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tab.png

Filesize
3KB

MD5
d26589a6ad25b4732fc75d7779f62c2d

SHA1
3cf350da1029c8adc34a26b87e30118b30200dc0

SHA256
07bcc63bb7185b881a0758c5d55fbd173aac645314ce800f7f28ccfbefd2df20

SHA512
60609a09537472799ad86daf8d03cda2908e065a13d7ec1a2c90279d5d678f85bdc298ae5057606f4c9ee9ba1ba4807c0056a03b356e730d08ec1d11d21290f6

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tabbtns.png

Filesize
3KB

MD5
92a30fc157c0f2974fe417372901de77

SHA1
997b3f176ac02e11fbf8e52011ec37bd57d2ffeb

SHA256
9c0755e0caac50999485eaa958c3312fa2ea0dc0674ce3e9d16c1fa1b92ec381

SHA512
bbfb9ef81bff01bc6913961555725436c4c8af18a9e541b7afcd42645bb15e4394efd906293003fff31925bbee7ba257c11727f05308798c0bf357546afefed0

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_back.png

Filesize
3KB

MD5
2f9cd38cdcecc69e5ca26f86c7b22ffe

SHA1
5a670f6bc1a325b553720197e0b2e8843881b7f2

SHA256
2613ab07be30147c23df974560b3c8aa28af00d5b2d8f4608b3cebb8d59b0307

SHA512
3ee938edca46a40e9917425cbe3e980d689a32fe4941bb7d728d90936c8762b81421df872c01cb00727f8b75e87b85bb04184e29197038e964a6566b4f76e931

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_desktop.png

Filesize
3KB

MD5
0fca9aebf5c131e997e9ed195f70ae00

SHA1
9ef39081a9edcd07c28e1cafcf424c9da65fed77

SHA256
af0e0c94fbf9334d3f692c84d9abde2b514af89d1a95a1ac4638ecbdfd0c222c

SHA512
1e98413ccc1228cea19d7bd3a8baa595910de511bb4f4ad355ea94c406fc12b28e9cd5439675fbedb9ba954c1e5c53c77495ce72e1c5983b5ea59beddf6248a7

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_documents.png

Filesize
3KB

MD5
ba8970160d3df07415d8ac728af48e4d

SHA1
faf6ebe0ebbbdbeecb383577811d47575d0305af

SHA256
449729c011e3ea6221458a961581fd9dabf52332805750a5f6dc61bcc4fb30f6

SHA512
820c063bc7c749104b8cb2c6d8112b7dd02e1ffc212ffbb175389ae700a95f035790738ea4a18aee1f1a9863b0d6f133a05c2853683c33c047af9f8709fbf797

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_favorites.png

Filesize
4KB

MD5
8346ea9ecadfbdf363462df0de9df412

SHA1
7e9059ed906cc971fbbcf1b08773cde1cb5b3e00

SHA256
02469d42592dd31f3f7e7189ebe2b731d2149ba6442bc33e691cb07efe7ed7a3

SHA512
99faf433286cb33d645c592dd0ca4d07c8a84a320391b055f820f2a14b7555283b5fa7f02d9846e628cf6d8362fc3754e58685874edbb414a2c540a50647b7ab

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_forward.png

Filesize
3KB

MD5
07011f302bbacd8f44c5d9cdd642ebe8

SHA1
e3a565d62bc817172f4a8b727a338ad49326ab2f

SHA256
1da5be045dd17ccf4b2922e7493b0af8b3f046123f86bcc7b29d6b17e76173db

SHA512
4a2e074edf3240e3877dec0498ec445cc6d47f1efc73ab3485921f3e407d9b1492adc8da7c7f9a0bd5a9660aa86563eaf6648687dff6c247fdfad9613bea5d80

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_music.png

Filesize
3KB

MD5
cbeb2a8c0650d649a316e38d5a2f2fae

SHA1
12850b29903d2983edf1cd8d157e79977e466a0b

SHA256
ad7acf4369164d0f79eff40f1b9096e1dbcf9a51d2514d771985cea0bc1db192

SHA512
630e7a55791805ea12c06abfb52ff82214c33d2f929ba477f32d3d256d8c4671e2efeb1920e3e8c7c10b1dc11483067f9f1c7316e0684d39b89f6689305b8f75

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_pictures.png

Filesize
4KB

MD5
231851ab4adfea162432b7a4f69f6fba

SHA1
65f96e07bc8620eca7a292c94f06318cc5d4a135

SHA256
fa34ff732e3dc55487e22c28f62c81fbdf9aeca7baa5a41d476c09eb2913a187

SHA512
5dd898e42c4bd418d0353e8b06d375439013108c70084fa6c5adbd61ee9fd26626114263b8ececd7fa0f781d5fc89740d34d6065981dd5b9bbb78ded0e2c2cbc

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_recyclebin.png

Filesize
3KB

MD5
e54a375a6db566dd7a998702677483c4

SHA1
9c9a38685cba7cca7443c8056c16126aeac41ac2

SHA256
2a5405e50198ef4be08cbd83377a5b7fe6c0e8edb98faf1d3b0da951d7fe55eb

SHA512
fde45c2e987437f4c81c135ea1fa36b617010de8b3c9082123c83fb60c0c6ea67c31e40d5c134141fbaece0d5807435fd8383510857a299bd38424fa170bf930

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\tb_videos.png

Filesize
3KB

MD5
3599673aa506227270f7ec00fd15d558

SHA1
47682afda9aa76d291cf71f4281605f12fc80e1e

SHA256
d749e9289d7bc635799b60a178cf007ce1e1e69fc7337992b0faab1a3d2f2412

SHA512
ca4525081a6a422f314dc23d0286742df67d57aeb25613043a75d779dc10775cf49de6090afd86278009462021c7a0efb010675cda67ec35ab53c14b9d55c050

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\toolbar_back.bmp

Filesize
1KB

MD5
d2183eca22cb807d558f289e9daf1fab

SHA1
3e93d19a6e0865c92933957277217a76f6de82af

SHA256
e973f825830bfa0ae386ec7873e4f41da029fcb479e143810ce034506c24388a

SHA512
205954eb7d7a3e6c300803935ace132d592d495e60609c2e54bd96d9436132a3a21552fa8985e25b08805be317b1e3b5c1bc5e2b6c1c7371d796b619c6eef831

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\vertbarbtns.png

Filesize
3KB

MD5
ee59abf3f22180349477c897518600ad

SHA1
7d76d2be5908d5f4e8de60ff3dcf26abff17f58b

SHA256
99aeb451da64fce9b4e6c4705f608feb2623924bbde843c9ceddf0c6a9ae3821

SHA512
4b960c1a5610fd7f32bcceeca742d3ba940bed3a3b6ff02185506fe8b2c838ddfb0aa89d6e685ec90145fa5e589ce8f9cfc93372c3649eb3b4d9188578be783b

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\vertbarbtns_over.png

Filesize
5KB

MD5
829a2b35fc382a25a649c7a55ba74aba

SHA1
a8d79a1d68f2a0b136b10d9dd40342718cdd56e1

SHA256
09ac93add267eb409e636252fe3a8c25838cd1bf8b64c3f04777794cc6d42b33

SHA512
7727b83576c499f9a11031aee089b1469aed6316f9ad087dfcc807553fc3197c1fb1dba1392f9331f502296dc5d170184d394d2b58d125c430d310936b6092ee

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\vertthumb.png

Filesize
2KB

MD5
85c203dd9c67d4c9a50e092a3472d9ba

SHA1
cb075120cb347077fa1a6c250edd3797f7f7a9ab

SHA256
6144760f05ec203d9e9e71c60a10e832d5a0d9cca32280c48e6dda4ecf1212cc

SHA512
bd6fc49e67a20aefbbf6adb1975fbf8b48d5e60fb360cfcd0ef9a968a872cb157d050018f516f57bf2573aa37daa5ab5b56f270e2878a93b5469628119e4330b

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\workfolders_over.png

Filesize
4KB

MD5
382a09da224702c06c55b3221adf474f

SHA1
1faa909e3b39f748ac886ae699f95851027c4e3e

SHA256
4cccab24d49068565b5bbbb4b063770b2574c56e724222ebdead80867b836010

SHA512
25b4b123b7185c482b3dd0818c03338882f429a6cad2a192385f219ddf2fc382351a7cbfca0e634050394c5af652d020b593d203c51ae2aab6cf60bf8b93b527

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\workfolders_set.png

Filesize
3KB

MD5
6efff7c26029da35c5bf46635150bda4

SHA1
4956c6f4eb7bfdbac05bee0cf37169091add84dc

SHA256
fbb89ea3b565f652435126f83127567df78662b6d9808e740d00c062b20735cf

SHA512
9a7ef1113b6cf25037bb8558c20d045fb42ce748d82491c8b579ce7ece9077f2a8d5d929d7f302f3820f5f3f4172780d6ab39c3611da12040e6b479b4c8fa3f8

Download Submit
C:\Program Files (x86)\nexusfile\skin\black\workfolders_unset.png

Filesize
3KB

MD5
0106d951f6a34411303bdecfd29436c0

SHA1
ebafc89deb08ec5dd366558ed74a80289c7d0256

SHA256
61063998efa9b97e57944c42ed4aced1512556578d8dc74ea7975aa5162a49c2

SHA512
dcdae30e137ce0b1c5738aad545a09e55da7f46a6a45b5062ccbc76429fb82aa200d982589c1ca07874fe1e35dd4136b91e59f18723323985f2f833ee17ffc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.exe

Filesize
4.3MB

MD5
53bc73459e145644b7bbdfb528c4da79

SHA1
1cd9e926c8a2405d57a9cc58ad056227a104ecaf

SHA256
a76ae2de6ab0e072866133092668af788a7a3d1e664444e7fd7c4b12686ac900

SHA512
fdf58b86688340bcc967cd291047ff8eb2fe1606feb043771ce92f56fd54cff52c249edbb14f0abbe6bb79ea9e2434d6ef961f053f005707c94a357070f6d97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VHMPQ.tmp\b448ac321adcdd3efc08fb881098c304d312a5892c9149f209e677f6bd9af20c.tmp

Filesize
2.9MB

MD5
45a158a053728dbd05062951a3f459e5

SHA1
ef5b84fc96d6614341854fa97aa49e469a8b3959

SHA256
b8088a53c6b70210b37c70295fa5cd8e4f03af82bd73c25fc47562f337ce9bc5

SHA512
561d9c2d495ccc08fd93bcba8e225843b951aa76bd14f44d3c6508d01160ffd1dbc44add51791e286eaa76f6900905c95d7e2586f0686afa3e95074da9c9e088

Download Submit
\??\c:\program files (x86)\microsoft\edge\application\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
memory/1016-362-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/1016-421-0x0000000000400000-0x0000000000AA5000-memory.dmp

Filesize
6.6MB

Download
memory/2404-106-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2404-18-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2404-109-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2404-405-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/2404-357-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3164-104-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3164-13-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3164-11-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3164-407-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3512-107-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3512-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3512-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download