neshta | cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f

Analysis

max time kernel
121s
max time network
133s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
Size

95KB
MD5

91f8c5655e265566963c8110f8a9de7b
SHA1

b96f17997e415aeb3cdf82a68927aeae232febac
SHA256

cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f
SHA512

7e9b9612e3b4868afb70c9dd6a94715fd0511043949a89cacead24e2369744525d0a411d92c6cc81f24f7e222e1be37a0ba790dcb9ed7e8ab289e0d4f504f7d1
SSDEEP

1536:yxqjQ+P04wsZLnDrC5MXL5uXZnzEPf+hzRsibKplyXTq8OGRnsPFG+RODTbN:zr8WDrCawnYPmROzoTq0+RO7N

Score

10^/10

neshta ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2980	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
2832	DesktopLayer.exe

Loads dropped DLL 4 IoCs

pid	Process
3044	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
2980	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
3044	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
3044	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2980-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000a000000016cd8-5.dat	upx
behavioral1/memory/2980-14-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2980-20-0x0000000000240000-0x000000000026E000-memory.dmp	upx
behavioral1/memory/2832-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2832-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2980-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MIE74D~1\DESKTO~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px230B.tmp	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438256837"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0CD6271-A721-11EF-AEBA-4E1013F8E3B1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2832	DesktopLayer.exe
2832	DesktopLayer.exe
2832	DesktopLayer.exe
2832	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2716	iexplore.exe
2716	iexplore.exe
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2980	3044	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe	30
PID 3044 wrote to memory of 2980	3044	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe	30
PID 3044 wrote to memory of 2980	3044	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe	30
PID 3044 wrote to memory of 2980	3044	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe	30
PID 2980 wrote to memory of 2832	2980	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe	31
PID 2980 wrote to memory of 2832	2980	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe	31
PID 2980 wrote to memory of 2832	2980	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe	31
PID 2980 wrote to memory of 2832	2980	cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe	31
PID 2832 wrote to memory of 2716	2832	DesktopLayer.exe	32
PID 2832 wrote to memory of 2716	2832	DesktopLayer.exe	32
PID 2832 wrote to memory of 2716	2832	DesktopLayer.exe	32
PID 2832 wrote to memory of 2716	2832	DesktopLayer.exe	32
PID 2716 wrote to memory of 2860	2716	iexplore.exe	33
PID 2716 wrote to memory of 2860	2716	iexplore.exe	33
PID 2716 wrote to memory of 2860	2716	iexplore.exe	33
PID 2716 wrote to memory of 2860	2716	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
"C:\Users\Admin\AppData\Local\Temp\cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\3582-490\cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89dbed6157396152b8fe0ab75ac3552f

SHA1
c723779beb25a55dd1720c5153237662cdf34f13

SHA256
7ea8aea0a5c1dd6d833f3214d70de552cd07e0225172ce13f5d74acec54c2cc2

SHA512
6eabc8238b8d7fbf0389d0a4173167ff6ffb09dcd5ffef2f6267008abbf6ca53bcc8d59c7adfa5074312fa0040cf765dab5c844aec4f1f55055a46707e02b56f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92910614b12271c8cc34f969c6c69f9e

SHA1
70234a52fb4136626213c8b13535c94eddb46b9c

SHA256
63f3cf383f0f205bec94e584143092ca35feefe86b2d0e9d599f6ef94fbf7871

SHA512
42d0606a280df79bda3e1847b5b15bbb4dd87d51fb5c960fc54bf2a865bc6a1c9ddd962e8f7aecec87293c52887c7a92997f4648d5f277c1c3e39d19166c9969

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eacba9630d0c7118af745a3631a4a2f

SHA1
9ef3c8eda2fc95b1351e661c42ce6b262646d9d5

SHA256
f6dd554a9a57fdb7fac3363fb3f956050419ed2b8a3dd2172e25591b08c12ef6

SHA512
dead8035161dc57af3ce935cfea9501b2efb6054fbb2a9dc9a6f9d50eb52dbc6cf6e54bfe193e6d398db0a45264a6e579898bcc57e8b852382a8067ed0631731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97e7dd45d5d4ac56bf642bd4a2d0cd90

SHA1
91f38a41fe86dcb3cdb7bd1fc12cf151da293623

SHA256
95dc38ff54ca5f60b5c0a211180d9015f089cb963597778fc8fe188173b5bd7a

SHA512
f89d0a1927faa712b4f3cb66c98350c32a74d74aaae4ed3d48aca2e1f04b2109515ae1ab61f146f08ad9fd9ca9bb67058dc77acfbf00fab8702bf0fb557a7a6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6797dd8afaff3385aef33fc5248084fe

SHA1
49c72d5f851daf84c89d9e252a33b975bd99fbaf

SHA256
d61de66d08314f33cef9e27f8cd78b91c2a1783e9e0fe1db2195eee2965ff04b

SHA512
7421f72c8f9128f7cd339eb511eec5be59c7e172e359db933680d61b4f36bd6f51c68fbe73c0878a693f85155ec2775d78341434aed8dba964aae319175c5f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8bd4c49f2833383374affc48a193a7b

SHA1
1f679a2efa21939a15a4408565cd9c0226ce2b51

SHA256
1e1fc40253dec8e6cf59be8afdba5906a72b4dc145e059fc1c2b81ce1161cceb

SHA512
f698e08673fcd89a0bd7be066e11d3214e94a3fae4be59a44bc1be7a158760b1631b56922b0bba4949751681ab7588d12b71ddab8bf51d4adbc228dcf82207d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35d86463fd03ba29cece8e78f001920f

SHA1
0cd6f29b5f83043b20e9c199814be633df56021f

SHA256
7a97ef95796f5e31507d44e27ded0f307d427f7d950b452b62cc5e0beba9651d

SHA512
caf62a163ea2a94265f5a59adcd82a3560106f167d95bd823d61c35f56f56933b65bab2b233ad1d1e68507add63e54cd48197087b7ffb63979a6b3076aee0a3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c165f9d0a066f4a552ada1bc62936321

SHA1
30459c9b780405d7e9feb3c29f91bbca052dabe5

SHA256
7b74dab75b2ce34c11077dd70539037c2d0fea61bd5df4f96e64ad563d17df46

SHA512
7a7f371eb4d0628da28c3b91a91c9c78fe12e4a0d6388bee05a263d1cafc9e6fac26337db5a3b8677454d07e00137b615f5f6e08b1c38524794f60dea8327e95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
080b77406e0c16d6da788ca67995c553

SHA1
d2524a9189fede60fdcc89a3211b87033a94bd1b

SHA256
745444ee7a0c8c93a8f15ff61957e0eef7fbbec4731fffc10c4082cf47333dfa

SHA512
629115c29d04cee9608b6f271019f6801f2ee7abb673acedf42fbe3ea20a686c1c510de777890be6411e41566fed1fb638b74b2e6047e04912739e0c3c854580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c67712e0fd5948cf1571966cb3eccde7

SHA1
be9c968093f0cf9316c2c87d0880a659416d5cbd

SHA256
f3215ecd9022d07aebeb0d46a4ecb872aa46d0aadc1b217e9d3188b46af5e7f4

SHA512
f3883f810ebd5d56a2f73ec6dc5070cc0f44c7924df499dcd7360cdb6a758dc68400f2fe4ce307507d64316c4fda9171bd49d7f90df45de4f184fe354c043ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61f198fe510191b45b4ed78ee220d2da

SHA1
c2fa75864052267eb378c3faaa0873a4cbc027b0

SHA256
aea628ba2b99d3d96916cd97dbb16b7ead13d85ed0dace514d8ef430c7fb6312

SHA512
668e08baee92137a0d308ab1ddeea27d87cabc819a9ce5fe7e0ac6354c9c8fe309f77203a6b8d4caf7eb2adacec0b2b4d8616ac2aabf16547f6f78988e987c8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c677627b0229571bd216155ab746aa2e

SHA1
4676851a5410fdb2c34b66ed233f695e75ba486a

SHA256
6916d4f47ebc15532459c4eb1ec7a2af5e7e05b2775705db3a4c166f39623e1d

SHA512
a0bf874d6ece10fc1cbe43d846f07f71b51ecf49b6b444b3fc8b0eff06a6f156e164bc1c363bd7ef2eb28366b33e1557aee6b21e33a5a45290433572565c7a0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa452b1f63f9ab7d5ef7da5676329911

SHA1
b615c2ec3ef3e2928f7047c662a0b1010f9d5a98

SHA256
99eccb6b525f03eaacde72aa4cece32ee355104d31b3655f692d123810093644

SHA512
00262bd7f2994266d433acb1458530e8c3f0298a3a142e4eed374724801f4ce38857640b1a772eb752c1a5783bc74044cd8855197604fbc7d1d3417b9bcf6e7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20afd4d38afbffb849e0476273322a99

SHA1
d19e790e07bf772452a7bcaafd5674aeac1e148f

SHA256
1339a629999fb29d7df805c8fc2b859e103004f275a0e8fd74be18fa90c12ea6

SHA512
810c9973b54d4792d966972a2ba93e19ef337ae9899053d8a570443943b2b71929ad286544ab4c7c7da589b81081b67210e3e10ef6ff3b41dd61a2691f3c64a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41e6fa947d4eb0f2f88dc159cb994c1f

SHA1
88604862820c6fd387223000a3ae376609dd8559

SHA256
711a88e8b2327316c3c5795a71bc35c704af20aac4776f0d3af1855c4fce8538

SHA512
c82df528b769e40531bd9db13fd59d188249e8ae7e91c86f3b538481ca9beede11e1600f0e74ca1db925cbb50ea39e0c38d67f747f70b42dac8040e623a97828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89cd3d85f5b790e43386abd7d1b9d277

SHA1
b91f83e58d69e02889485ba18d693299d8c7b792

SHA256
fbc28b5f5eb53725dbf8060c1a36b09df8ece2f597223ba85821a79c7800ea8b

SHA512
be730c04a8c0153e723fc62f18aaf086cb2918e6cd17e8087ede5c550be49ee863f5c466df9620d1846b31e1311c3f3454f97c674fb662c6c4959cc72c514b62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
413bb8b52cb02bcefaaeb0f12e337351

SHA1
69d568a04c5128884e4ee11fd37ffcd3110f6222

SHA256
58a28ac801f9d8db654135fe375cb502ae9bceb19542a730551cfd0e9373f04e

SHA512
4e6440799ed813371062bebbc0d3f4046a5ac78e57bf3d00588bb2321884a1a7837dac3d131de821d0726ab422f78e8e0a583beefd5befd1173f49edaad3f027

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58fd1a3febea6a6563e9ef6a49520185

SHA1
7f830ba4b70bf381620de48c4d7af66a6b42aaa6

SHA256
642f0fbce195b4b98aabfd2aae7c30c0d06a5a79a4f66a828e58a0b73e34dc24

SHA512
73e7a4b258f3ab0cc3e9129925d7f934ad1e504c0894d79e6cbe33d24f2422ef3ebdbcd2202988383c0eea329fe5917030999d3aef58d9b438b12a3851a23199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1d90c8f8d567f087898457413318458

SHA1
34e14506260701079a3847cfe3645bc17311e6a9

SHA256
649e648fa1ea9af3dffc8f093bb373465bff40741086ce709ede6dbd88097758

SHA512
d0fea9c652aefae9a52276400727a0ed44325d7ee7eb54387086e7908f9cf0a08dd4e1097ded385700ed485d41b5ed62d041427582b7fdf0b66d318e0a2bebf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cb9e615dcaf44187ad82f13ee4b711c38696c33e0fc25aa44309937bd571811f.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4675.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4724.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
memory/2832-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2832-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2832-27-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2980-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2980-12-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2980-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2980-20-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2980-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3044-226-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-537-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-535-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-534-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-533-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3044-8-0x00000000024B0000-0x00000000024DE000-memory.dmp

Filesize
184KB

Download
memory/3044-62-0x00000000024B0000-0x00000000024DE000-memory.dmp

Filesize
184KB

Download