neshta | 4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec

Analysis

max time kernel
46s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
Size

9.2MB
MD5

3f6dfe20f565a3fd692b04e5cadaccdd
SHA1

5c82762ac421451e0d436a6987cf84755680925b
SHA256

4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec
SHA512

e8a201bd6d696d90d39ac5c125c4f225e74c31e77697275c3a8c43db346f24fde6037297006e79b3c3b33e8a03eea08ed7dd5e445a810bca380a643e39dc04b6
SSDEEP

196608:/Xu6I5jwBnTLzj2dkWPJ7fx6BX5sndaZ20BScIWwJDQzG0S9tU/Sh1:dAKS/+5ogZ2EI30Sd1

Score

10^/10

neshta discovery evasion persistence ransomware spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3032	bcdedit.exe

Executes dropped EXE 5 IoCs

pid	Process
2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
844	dpinst64.exe
1188	Process not Found
2088	mtk_etw_log.exe

Loads dropped DLL 33 IoCs

pid	Process
3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
832	Process not Found
832	Process not Found
2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe
2088	mtk_etw_log.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\LogFiles\MediaTek\Log_Install\install.log	mtk_etw_log.exe
File opened for modification	C:\Windows\system32\LogFiles\MediaTek\Log_Install\install.log	mtk_etw_log.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\amd64\is-UGKK5.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\is-HC8NN.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\i386\is-CPP9N.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\Tools\is-CML03.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\CDC\x86\is-T0G2N.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files (x86)\MediaTek\MediaTek COM_LOG\UninstallLog.exe	mtk_etw_log.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\amd64\is-NLL23.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\is-417F8.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\i386\is-DONI5.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\is-REN2G.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File created	C:\Program Files\MediaTek\SP Driver\drv\is-MAHQL.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\Tools\is-D7ML2.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\Tools\is-LO4N1.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\Program Files\MediaTek\SP Driver\unins000.dat	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtk_etw_log.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logman.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a438-169.dat	nsis_installer_1
behavioral1/files/0x000500000001a438-169.dat	nsis_installer_2
behavioral1/files/0x000500000001a47b-245.dat	nsis_installer_1
behavioral1/files/0x000500000001a47b-245.dat	nsis_installer_2

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2436	3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	29
PID 3012 wrote to memory of 2436	3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	29
PID 3012 wrote to memory of 2436	3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	29
PID 3012 wrote to memory of 2436	3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	29
PID 3012 wrote to memory of 2436	3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	29
PID 3012 wrote to memory of 2436	3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	29
PID 3012 wrote to memory of 2436	3012	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	29
PID 2436 wrote to memory of 2976	2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	30
PID 2436 wrote to memory of 2976	2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	30
PID 2436 wrote to memory of 2976	2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	30
PID 2436 wrote to memory of 2976	2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	30
PID 2436 wrote to memory of 2976	2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	30
PID 2436 wrote to memory of 2976	2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	30
PID 2436 wrote to memory of 2976	2436	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	30
PID 2976 wrote to memory of 3032	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	31
PID 2976 wrote to memory of 3032	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	31
PID 2976 wrote to memory of 3032	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	31
PID 2976 wrote to memory of 3032	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	31
PID 2976 wrote to memory of 844	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	33
PID 2976 wrote to memory of 844	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	33
PID 2976 wrote to memory of 844	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	33
PID 2976 wrote to memory of 844	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	33
PID 2976 wrote to memory of 844	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	33
PID 2976 wrote to memory of 844	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	33
PID 2976 wrote to memory of 844	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	33
PID 2976 wrote to memory of 2088	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	34
PID 2976 wrote to memory of 2088	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	34
PID 2976 wrote to memory of 2088	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	34
PID 2976 wrote to memory of 2088	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	34
PID 2976 wrote to memory of 2088	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	34
PID 2976 wrote to memory of 2088	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	34
PID 2976 wrote to memory of 2088	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	34
PID 2088 wrote to memory of 672	2088	mtk_etw_log.exe	35
PID 2088 wrote to memory of 672	2088	mtk_etw_log.exe	35
PID 2088 wrote to memory of 672	2088	mtk_etw_log.exe	35
PID 2088 wrote to memory of 672	2088	mtk_etw_log.exe	35
PID 2976 wrote to memory of 2444	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	37
PID 2976 wrote to memory of 2444	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	37
PID 2976 wrote to memory of 2444	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	37
PID 2976 wrote to memory of 2444	2976	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	37

C:\Users\Admin\AppData\Local\Temp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
"C:\Users\Admin\AppData\Local\Temp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\3582-490\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\is-8LUKB.tmp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8LUKB.tmp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp" /SL5="$7001E,9270631,140800,C:\Users\Admin\AppData\Local\Temp\3582-490\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\bcdedit.exe
      "C:\Windows\system32\bcdedit" /set testsigning OFF
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3032
  - - C:\Program Files\MediaTek\SP Driver\drv\dpinst64.exe
      "C:\Program Files\MediaTek\SP Driver\drv\dpinst64.exe" /SE /SA /LM /F /A /path "C:\Program Files\MediaTek\SP Driver\drv"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:844
  - - C:\Program Files\MediaTek\SP Driver\Tools\mtk_etw_log.exe
      "C:\Program Files\MediaTek\SP Driver\Tools\mtk_etw_log.exe" /S /Vendor=MediaTek /LoggerName=COM_LOG /MaxFileSize=512 /FileMax=10 /Guid=8ffa488b-07d9-4ef5-b1b2-a0bea188dc1b /EnableLevel=4 /EnableFlags=0xffffff /D="C:\Program Files\MediaTek\SP Driver\.."
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\SysWOW64\logman.exe
        
        logman.exe create trace MediaTek_COM_LOG_INIT -mode 0x8002 -ln MediaTek_COM_LOG_INIT -max 512 -ft 1 -o C:\Windows\system32\LogFiles\WMI\MediaTek\COM_LOG.etl.001 -p {8ffa488b-07d9-4ef5-b1b2-a0bea188dc1b} 0xffffff 4 -f bin -a -ets
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:672
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\MediaTek\SP Driver\Tools\ADB_add_VID.bat""
      4⤵
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\Program Files (x86)\MediaTek\MediaTek COM_LOG\UninstallLog.exe

Filesize
82KB

MD5
0ce06da63bb0531b2458a9c34249fb94

SHA1
f0107d4a0a491f8d6df36e385d70ca2e62408381

SHA256
7fca967f0262a0eddb24330479ade8dcae80a3bb404e63b182b654c1e9effd2a

SHA512
af18e02e379eb632595698c73c8c1f5a8f9ddf900920cb7badf72b2ce1eee3a11a2fce0accee5d8f7983a01a21f88a960b140dffc58ac842e306190dfb0be21e

Download Submit
C:\Program Files\MediaTek\SP Driver\Tools\ADB_add_VID.bat

Filesize
407B

MD5
85db235da3d4e2b9f084e39fa9760463

SHA1
a1ad8257cb42216afa3af3ba2aa4ea6b68cdb217

SHA256
18c02d8226815b96a19793fad77fdd96fbc62324e37baf0c442f949fa382f31d

SHA512
63176742e96fecd24574103948847110dfd35fbdc3c550e16f3aa9d1172da0c8751fda5aec18fe0506df6bfc9ea4a8abf6b50db19c0049bc112b9d110a7293c3

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Program Files\MediaTek\SP Driver\Tools\mtk_etw_log.exe

Filesize
139KB

MD5
6bd6fd45992daefc0f073a980faa0f39

SHA1
ace2449dd7829584a4437a8d47806dff5566a53e

SHA256
3f06256b8a30c3d399be597a6c4dfd495509761e5704a5650abe955fe974be43

SHA512
82a8d6bace73d88c0a0f13793f96851525efc5b71e1da19b6f6f9b7eb7774e2fd70d332ec8ee8f2b1229642bdc987b99f1a87651628731a4d2058af0067151d0

Download Submit
\Program Files\MediaTek\SP Driver\drv\dpinst64.exe

Filesize
1.0MB

MD5
be3c79033fa8302002d9d3a6752f2263

SHA1
a01147731f2e500282eca5ece149bcc5423b59d6

SHA256
181bf85d3b5900ff8abed34bc415afc37fc322d9d7702e14d144f96a908f5cab

SHA512
77097f220cc6d22112b314d3e42b6eedb9ccd72beb655b34656326c2c63fb9209977ddac20e9c53c4ec7ccc8ea6910f400f050f4b0cb98c9f42f89617965aaea

Download Submit
\Program Files\MediaTek\SP Driver\unins000.exe

Filesize
1.1MB

MD5
8328c3f2a28121a897a5f32cd425088a

SHA1
72978777dd9d3bdb425da795e82ffe6c8f6e0495

SHA256
b5f7f2181ba7e0a9afdddc87959c6c2320238df2e15d7a6712d24c8bb3956978

SHA512
c011be4f14ffe06f9bbce4b0955871dd23bc94eb03932fa969ed7f562d8186395bb41a9fcfd402459a6f135e520be80f27a40c4a3074beaafaaa5f753b674643

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Filesize
9.2MB

MD5
1f1464f138ee6a761ead14bae74b74dd

SHA1
47e0b1f0129655c0915123274474df65b71fb596

SHA256
9c214247f111581e3f4b954f4ffb42b4afba96b34156c1b3e6447f0f783d4d93

SHA512
e7af049fad94b31aa27c3d07f356dda462a6e8a67f553a50e811ab49e57355a4091323623e9249bb9a2fc815c52544c3befb2bbd812f019bc395474b94f89967

Download Submit
\Users\Admin\AppData\Local\Temp\is-8LUKB.tmp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp

Filesize
1.1MB

MD5
8fd32d871dfd28c4519cd9c96a120026

SHA1
5bd078aabbc46eb2a04de766dccbc82a6782aef9

SHA256
0c340a0c550cde8d73f7b109416faf9a1243c5bebcc5477123cb97028ba01088

SHA512
86a83f54723ba2d90109edf3f26739e4798b756ec7dd04e50a9cc3eb9075d9f213f1074057b01af55e3fe980a6fef2bea8bffefe0cb6e25b95f7ae42e0fa96e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-SND3D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\nsz71A8.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsz71A8.tmp\Time.dll

Filesize
14KB

MD5
8676721a04a174016e5d3f3c554302f1

SHA1
5f230d048560e70bfcb05aace39ad349bc8ff0aa

SHA256
700cf2c2ae144ad688a33d2df320b415425749e1ee87b9ae61edcb42650a1390

SHA512
aa54460dbfe691ece82080df64af98eaf66374060bbf85d8e48e17ec0ab296489a9822c6e8020d5809481e90b1fec9f0558559a0f096ab0452502f7a404a2d0e

Download Submit
\Users\Admin\AppData\Local\Temp\nsz71A8.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsz71A8.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
memory/2088-192-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2436-11-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2436-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-103-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2976-102-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2976-22-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2976-301-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2976-305-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2976-165-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3012-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-167-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads