neshta | a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a

Analysis

max time kernel
41s
max time network
22s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
Size

455KB
MD5

9f475c0df542d7ba5e55237dbd3ae85c
SHA1

6e7886f81f47484114702952027c5094a28cb786
SHA256

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a
SHA512

151c3cc25e6835462ddb7a145efdae2f54abe294b2ff2b572d332afb464957fcbd7b3ec4c27510c7b66fd9ad956c8f64cfb12891f94629b825805488dd947128
SSDEEP

3072:sr85Ca0WO5POwFaXnJE/9fdLNY5qshcSVcghEiiSkSb4rr+oR/ClP9b/gLwziCMI:k9P5HUJElFZwSeQRaR9bYLw5ziIbB/

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0001000000010318-10.dat	family_neshta
behavioral1/memory/2540-629-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2540-1061-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2540-1063-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 2 IoCs

Processes:

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

pid	Process
2512	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
1180

Loads dropped DLL 2 IoCs

Processes:

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

pid	Process
2540	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
2540	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

Processes:

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

Drops file in Windows directory 1 IoCs

Processes:

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEa18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000012da1f73abec6f0d2b83b1726ef5d76bd70de8f246eefd344729f7ad7f38dc32000000000e800000000200002000000018123b143ad09d610bead699e26af1eeaf9674f40f34d56a816b533dd7d73c2d90000000007ece3e88fdf40d4d407eabb1d8debb4231bfb4863812e2d32ce6cf0d7d10dae1a8927fb05f5e3ef6cd9a93610ae6625673775a4bc17d0c557ec5bd49a710b5a523eb30f3e7be8aa6cde4d0eb737186c28b902508a527898792690fc6e53dbbe15bbc8f95e336a08f37eaab896ea2bedbbd2d2eb4c387d25a43109b0690bad899e5eaaa47294ea8a2f897861a4f67694000000009f6d66e21b899730dd3b8e5d66a0bf6913476ecaf7464d3c3aec6a9909f7c3c3f268cbf0cd422de3a0bf59abe5cd9ffb28cd320a2e457421aac67d570516ecc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f0c358272edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{82399E01-9A1A-11EF-8252-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000008596668fa94ed9d2f9ebf0847867e57eb93dd26a1faea788cab0c896e8c7418f000000000e80000000020000200000006f5dd728e2fa696232a3ed53c42c2a0425daaf6f41089f0cfdb4a993c954e8e520000000498792995f5fc09c6ff064bd1321fc4fee9fa83ce86cfdc58067b680e0c6310a4000000040ae3819f859096b8b7477266a30b21b02fadfd457fbd0341aeb03aa06c8cd41b72aebd93a7cca0b5ec8f43f7948eeb581397981c775b7411de34b6fd5bc1bef	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 1 IoCs

Processes:

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
1736	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1736	iexplore.exe
1736	iexplore.exe
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exeiexplore.exe

description	pid	Process	procid_target
PID 2540 wrote to memory of 2512	2540	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe	30
PID 2540 wrote to memory of 2512	2540	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe	30
PID 2540 wrote to memory of 2512	2540	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe	30
PID 2540 wrote to memory of 2512	2540	a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe	30
PID 1736 wrote to memory of 2216	1736	iexplore.exe	34
PID 1736 wrote to memory of 2216	1736	iexplore.exe	34
PID 1736 wrote to memory of 2216	1736	iexplore.exe	34
PID 1736 wrote to memory of 2216	1736	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
"C:\Users\Admin\AppData\Local\Temp\a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\3582-490\a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe"
  2⤵
  - Executes dropped EXE
  PID:2512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://zoom.us/support/down4j?os=win&err=20030000&v=2_6_1
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1736 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f98d4e6a7a726a3df12e151628d1ccbe

SHA1
4f9578e0ffbf9feb87aa2eeb5eee4618f3a18f47

SHA256
0d0a3be7ed7a8c47254c034e67773f4bbd44d3095e4e1c9673d77d300e70b9c6

SHA512
3a9bd1400e6780db4a493a6531e04747adbd1c3c4ae2913c66761d64c48f9e051fde825e7b87342d708062dbbcc2ba60b68b881615415036067bf2a1d5175193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f911f24c62c221b0f59b23dfce4ddd03

SHA1
f6c7991f931ccb7ac8892bda00cf015b750a32b8

SHA256
56e03e9c917f3521bfe8e1092db4339f9853597f076c097d891da3762f9727d7

SHA512
da66412e83c6a97ef98cfcf9936e6b2e7f86076b3342bb9f01ee321df0370174cc7c699f5f473e00d873a4403e46643e18066796e4fa590528e98cd29ae19a17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb5af1ab425bae81e81b225fb6a0b084

SHA1
27aad97bdaa0c267f5f21f811115f96085535448

SHA256
4aacb212ef4adc1ee4694a5e67c2cde4e324b8bd2f5788e1eca1198c7e7557b6

SHA512
3167a400cbbf9131d723fdc173ace8360d7909fd8ff0883c0124e26d06cb63efd92981323d526c97f7c9e9e4ce94e6e15f9aafaa2d272e3cc0a1a26bd9c5c188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01d9136b8e0430a7d1ede3d13a732fbc

SHA1
387b7788237ad51dadb3bd31b24eb004f9f03641

SHA256
e897c00754b5450b27f480fd67e0de2c69743753a179007abca2b6da151bed63

SHA512
421f72e15fd802b870f9c080e9f44cb404ecc2249a7bcb191311942d58ad9f6b5f86e86928f7c4036f715ee3514cac73ace3b0ec2aae2da60de63e3256a14fdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
729684a20dfd046e3376a8121929043b

SHA1
49d3850a81fc43560048800ad79a64e4b20c786e

SHA256
4ce60e0cb034f40d8df29c9eea74c52a1b5e40b0ea1dd0e95749aa83155f88f4

SHA512
09e0214bea39d9a4195d76c8836e4c2e0f2c4d2db8ed2918da1f29dd8826ad9ce2142b2b27e9be5d8acc17118eaea81db3e6e55a656b392392c380e7e8d09ddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d654d64722ada7bd750eb9b127295ab4

SHA1
8953b75ef188d10320eb9a27a7f9e1f52c2c9e30

SHA256
869b64c8572ea2352f24de09d2441a209a766a4181cb720534bb386f1e0bd99c

SHA512
7ad23bdb16d467bba933a97ed20f10dcd0198fc08a90c2291272fab555ab34a391e3c53bc616e2d781b331d0087f03a01fff9d1030af95c142b39c2b6457e70e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaf7fa13c37cf54591348d7b63e7be2a

SHA1
6b29023d0a989d9b4942513faf208fc3e107ca81

SHA256
9b978c6198995b8260639937e6481eaafc8743113020af12194890750c1b8ea0

SHA512
98937b7fdb082f5d70a8fbd85441df18c9645eb16361bf038830834f9d017a46f2129d21534de04bbe708a84dda23e05c7b3a6cd1ae28efa1c9bb01c69160223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e5dca0ffa27a524bfd8ffb7574f0a84

SHA1
c7d40cb265c97f11d57a5ad76a297d07b9f86a08

SHA256
490db471fa872396ce802b651936ed9fbf3e4802de348415ae990a1ae94bbb0b

SHA512
5c9d10ba7701e2ba953ad058c8e5498ee72a7ea8d8c1c2893812e507aed94a87dd9c87edd3e3fc8703267b2b7abf9eafe15199ad2291ab9f4b0a04c3d8b34d5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
713f6bacf1305756517b3966ed6f5f87

SHA1
3fba2a338a296a185107bcbb7fbcd18bb5e39f63

SHA256
c5f53efa28195f5c064e3c30827daefb38f967733a069188dee3572dc9451ce6

SHA512
0a53994c108a7a2d0580ed9dfabd9f011e9071430919c04de120930c4ccaed36fd1a52feef156f4b971c2f7b3fff395f4155ab1e2e5778e0ba52661c7a7bc568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e8257aa1b7147af4619b5c49e032b61

SHA1
aa74c3fb76ee4d891401da76a3cc846d3391ec18

SHA256
6cd1ae4b8969c1131c079a04aacfcccaed4cd39045f8c90768c0d689b7a5740e

SHA512
8c79a3ef1e1cf45a1e9918d41747f7ce748ac5d2976e6ef43a7f68dba7dada479a20c0b2af1eadf96f522f9d538b4c66aeb411c679902c5acad4599957a79ee4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b6d11274ca581e885fad81048df7846

SHA1
872a4a68acf9c60f16de089b395f80044149ee8d

SHA256
5c0417b28e0c4db94ff93b7502cbf0580078343bff7c6ef5c066644f3819c773

SHA512
cb8efbd5e038c510f8cb137df52eecacae28666f7b19f9c633741c9f7dccb1e02f74bfc00e1acc5d3f025ed9f45cfeb645cdee72a5e3b3b4889ff46b89755ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ac1a3b71fe9602c95d1cc1f9c075b72

SHA1
48248cc2948a63c5d4aa51576f783241855ead67

SHA256
278754e961ae99c29e9fc3488fb8d091ae741a1947257cf9d2cda079a9c73735

SHA512
7c3118d87b2b407c5f10870fc43ab222fa02cdb70e60bb78b4e31b4565ccf84cdb9a6933ec2f473d218584d46f0577f00d114ac13b388a8494239ba55b5450ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39fc525810c0861af190adebc67b7088

SHA1
88580e9a0e5c47ddf0cac665d21ca06bf01b7113

SHA256
0daee386975f730b29100dadb633ffb68a4a408a0577c221a6d2f37760ee33df

SHA512
83516ef3efa6b9696b6132579b6cbc3ef863feec29fcc944fafb92848d8c757f7c9f21e0b43db7203c718d4aeb8b644d958a70896856b3571a4e28a9eb8f9773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f46eb656038c2b62fd5e8e102410cd7d

SHA1
bfe68eb1498100340a6d6fc5e4856d19feaa8724

SHA256
d0c85821dfe6a2a2e264aa0bab2a1be3a18c6f82816609e27786f6e8f185b50e

SHA512
fc572594b3138a66c3a11b344cf870c5c43d857e8818bb6baf24bf4c0c56ccb5bd25b7b9fa1aab360a36fbc3c91052f405840a1be39c61de875f9cf365a67bf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
298b3dc33a07f489df8b6c00d7b1cddf

SHA1
5e0da36c466d5cfc7b9a785db42109ad1c7a9915

SHA256
13e9a5c1816eb98d4c17ce3a43c4ed1d9891f438fcc356c754412eed954f9d03

SHA512
030eb108b303fd08c95dd7de000d71da8736d10168c25af449be5769f7fdd55cd48ca5b8b344f0ff9391492154b00a27b99de69ad318983d08e5294bbb771aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be974d52c39e4d7af1a259b58b3d250a

SHA1
1c7f8fdcd5d91e5595ec15d567eb7c97d32a2c6b

SHA256
5066112956ba5b50d406fa7e81714e7384d1a68f311500e311650632da75f03a

SHA512
9b38466968956ef3fd77a8dea4104be128c66835c0398a77565ce059fa75b84378a60117f83b815dd58f620a5bc35f0dfae2efffbccfbd6f7c0fba73dbd8563d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31aaff188c6253b6872931e40f354746

SHA1
5e9853c215fc38ada7fc81c070c1c2dff2498926

SHA256
67ecc68723b10ed6f4a1d3b52b9e0c919f0a08b1328b6a6a5d7d724ae7bccfa5

SHA512
5fbd9bd39e1c97ea76923d9a8b13f13e22916396458d13435aff86f5acbc318592dc9c0770f73d102af072f1334a5ad7b0f629faf4df87ffc6c3f4ee87439c5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc0fc13fdecd02dd092431a1c1a590fb

SHA1
7c0c640f38d089b3b749290a5492908302ddc6e5

SHA256
56f9ac176d70d01874e4aa92e528d4184a5bb871f250e578c168afa74894baf1

SHA512
b8ad2621438165402327a8ac664c6338090d2594e70189f22feebdf059506367662f50449039e27184ce2139ab3365b2ca613100480aef642b5008473dc12b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD0D8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD168.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\a18db89472340983b7a374010cfc3e53b08787e3323578e442eec685822a117a.exe

Filesize
414KB

MD5
f810d339b7622e93d3355953e98d6dd6

SHA1
3e08656d29065f00272991a57d111ffbda006168

SHA256
836fe037385013052e0f568b69f88bceb044e074deb6e4268724af5758c84392

SHA512
88823639b8ce24a2d945ff8ac96f25dec64e5e04a93968bd325d5cc7c039fd3d17efac991107fed4f1df4dd07fb02648987cdeea23ca0ba42c30f46e538f4fb3

Download Submit
memory/2512-189-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/2540-629-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2540-1061-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2540-1063-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download