neshta | 6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5

Analysis

max time kernel
139s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2024, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
Size

2.1MB
MD5

1bbd6849abd2549ab2979f9c257c1562
SHA1

86df4c9647157c24c7529702224597f1c4540fbb
SHA256

6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5
SHA512

cf750badebedf75456a3680f6dedea07b80842e6efa12620574bf34aa6171a7c1f82aa444515a905e6f8ded975616de1137de4a27ef168633a4266355e2465d4
SSDEEP

49152:649dU9nTEhaR59l1OzQXsRNyOr7YuDwebnsI63/0Vbn1dF2npqO1uJr:B9dU9n+K5jozQXCyOrYebAv0VZ2nT1uB

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 7 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020228-23.dat	family_neshta
behavioral2/memory/1020-112-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1020-115-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1020-119-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000100000001dbdb-154.dat	family_neshta
behavioral2/files/0x000a000000023b9a-168.dat	family_neshta
behavioral2/memory/1948-178-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	msedge.exe

Executes dropped EXE 6 IoCs

pid	Process
4896	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
2888	PasswordFolder.exe
1920	msedge.exe
1948	svchost.com
1260	msedge.exe

Loads dropped DLL 1 IoCs

pid	Process
4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File created	C:\Program Files (x86)\PasswordFolder\data\is-FK382.tmp	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File created	C:\Program Files (x86)\PasswordFolder\is-F7NK5.tmp	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\Program Files (x86)\PasswordFolder\unins000.dat	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File created	C:\Program Files (x86)\PasswordFolder\is-03RU6.tmp	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File created	C:\Program Files (x86)\PasswordFolder\unins000.dat	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	msedge.exe
File opened for modification	C:\Windows\svchost.com	msedge.exe
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PasswordFolder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msedge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Protect by Password Folder\Command\ = "C:\\Program Files (x86)\\PasswordFolder\\PasswordFolder.exe \"%1\""	PasswordFolder.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.pff	PasswordFolder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\PFF_File\ = "Password Folder File"	PasswordFolder.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\PFF_File\DefaultIcon	PasswordFolder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\.pff\ = "PFF_File"	PasswordFolder.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\PFF_File\shell\open\command	PasswordFolder.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\PFF_File\shell	PasswordFolder.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\PFF_File\shell\open	PasswordFolder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\PFF_File\shell\open\command\ = "\"C:\\Program Files (x86)\\PasswordFolder\\PasswordFolder.exe\" \"%1\""	PasswordFolder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\PFF_File	PasswordFolder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\PFF_File\DefaultIcon\ = "\"C:\\Program Files (x86)\\PasswordFolder\\data\\passwordfolder.ico\""	PasswordFolder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Protect by Password Folder	PasswordFolder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Protect by Password Folder\Icon = "C:\\Program Files (x86)\\PasswordFolder\\PasswordFolder.exe"	PasswordFolder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Protect by Password Folder\Command	PasswordFolder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	PasswordFolder.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 4896	1020	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe	86
PID 1020 wrote to memory of 4896	1020	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe	86
PID 1020 wrote to memory of 4896	1020	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe	86
PID 4896 wrote to memory of 4620	4896	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe	88
PID 4896 wrote to memory of 4620	4896	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe	88
PID 4896 wrote to memory of 4620	4896	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe	88
PID 4620 wrote to memory of 2888	4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp	102
PID 4620 wrote to memory of 2888	4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp	102
PID 4620 wrote to memory of 2888	4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp	102
PID 4620 wrote to memory of 1920	4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp	103
PID 4620 wrote to memory of 1920	4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp	103
PID 4620 wrote to memory of 1920	4620	6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp	103
PID 1920 wrote to memory of 1948	1920	msedge.exe	104
PID 1920 wrote to memory of 1948	1920	msedge.exe	104
PID 1920 wrote to memory of 1948	1920	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
"C:\Users\Admin\AppData\Local\Temp\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\3582-490\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\is-BQ55R.tmp\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-BQ55R.tmp\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp" /SL5="$D005E,1673388,498688,C:\Users\Admin\AppData\Local\Temp\3582-490\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Program Files (x86)\PasswordFolder\PasswordFolder.exe
      "C:\Program Files (x86)\PasswordFolder\PasswordFolder.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://passwordfolder.net/
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://passwordfolder.net/
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://passwordfolder.net/
        6⤵
        Executes dropped EXE
        
        PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.2MB

MD5
5119e350591269f44f732b470024bb7c

SHA1
4ccd48e4c6ba6e162d1520760ee3063e93e2c014

SHA256
2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873

SHA512
599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

Download Submit
C:\Program Files (x86)\PasswordFolder\PasswordFolder.exe

Filesize
6.5MB

MD5
b607b7ecfde67e315157acb6e07c7356

SHA1
742bd5b6d4c088ae448e37b52f4e5a527c7e1c48

SHA256
9cc4e661da1ba49ed321bb04bfbcd251b7078129890dd6e64828dacaddf60865

SHA512
566bf8d6f3d0f67e2e186dd34856c8613b28d8ed383e18e2cf423b216e59997d0beffc170e010a1989f513d41826e2fdfde7c59815ed34e31b660f2bff8d5758

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.exe

Filesize
2.1MB

MD5
3788afab0101919a4de8ffeb9ca1a848

SHA1
2b12fa7505550d80ac2da12684f3162ddbaa4cd2

SHA256
2bd92b48507cd2dac5158d684a122a78442fc413b37ef2657169f872530c74a7

SHA512
726a2f8679d5fe0f41c5de9b1077db6f5036919dd590b7df1920c6e43b3bebdb43ed7859e8a8aba890b4b2a216fa554385ac7ee1e5f257cf07d6c2c1b9fd0039

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe

Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BQ55R.tmp\6d13164d53d8fd58b5eefa57a6e6dd6da2335c986ce7b8562184ca4d2a2043c5.tmp

Filesize
1.5MB

MD5
1cd08277cff9b87bf71727923cd56846

SHA1
3c093ca141b2a54a9d29f083da03eb2e29343fe2

SHA256
dac04b61a5a7f0c32014ae27159c6b6570e672ddd542e75abb79763866ffb937

SHA512
8565aeb5e2bf8f19feed147afa2a0532c15d7fda8f3b79d140ff16092a6c4833de97043b6ea11b96901e703aa2cccc30339910d4fa8271b8efbd95946972a6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DPLK0.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
82ac1f86386485183d23a725e1263877

SHA1
42ae1199a9b622951a67fcb4444a007e003e3e0b

SHA256
8dd62d6bfddf74dec9e8d46a9d54b1fcfd6c952bcf20c87f0e43e53e61a24069

SHA512
91bd505c89a0eb13b12dd8668fbceafded70e6795bf3c1d2b6c67eb580ad97e5e86bbce8adcd00c8c5589ec4a1f4f81fdf1bb892c5ea15e17946a0a5114d6835

Download Submit
C:\Users\Admin\AppData\Roaming\paflan.ini

Filesize
2B

MD5
9cfefed8fb9497baa5cd519d7d2bb5d7

SHA1
094b0fe0e302854af1311afab85b5203ba457a3b

SHA256
dbd3a49d0d906b4ed9216b73330d2fb080ef2f758c12f3885068222e5e17151c

SHA512
41dd75307a2e7c49caf53fff15aada688275ef4d7950bedf028612b73f343ed45cf51fe1d4d27f58ed12e93e0fd0ae7f69428db169211554d1b380c91aa5cd01

Download Submit
C:\Users\Admin\AppData\Roaming\pafsound.dll

Filesize
4B

MD5
05c12a287334386c94131ab8aa00d08a

SHA1
95c0282573633eb230f5064039e6b359e05e8752

SHA256
91c9c3ff310a53f8d179461d9af55371c78b67c38ab030bf9c026693ca495399

SHA512
82d732ce4104f893e2afede4151d49d4a797caaf8f69e98349da70645293108633d9a27a9844712a562423c3e589061e99f6a3ab1230a21dd360ab464aef9915

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
94eaba5ac212d43d5953228a2f0cd500

SHA1
97fbbbcca915505ef62d3d378f66cfbccda585bf

SHA256
d1853b9240c1b947f5df246e8539ddaa1781de825d6ee0bce362fbf1111a62ae

SHA512
cf66ce8882bb9ac4b541005f5856e0e7facd65047d6e65e08c4afd244f44af54bb87d4080cd01efbe1e3db649261567072808cc6bbf03f379fc7a46ff7ccdf21

Download Submit
memory/1020-112-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1020-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1020-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1948-178-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2888-159-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/2888-153-0x0000000000800000-0x0000000000E8C000-memory.dmp

Filesize
6.5MB

Download
memory/2888-155-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/2888-157-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/4620-117-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4620-149-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4620-121-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4620-19-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4620-183-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4620-114-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4896-12-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4896-14-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4896-184-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4896-113-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download