neshta | 4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec

Analysis

max time kernel
95s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
Size

9.2MB
MD5

3f6dfe20f565a3fd692b04e5cadaccdd
SHA1

5c82762ac421451e0d436a6987cf84755680925b
SHA256

4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec
SHA512

e8a201bd6d696d90d39ac5c125c4f225e74c31e77697275c3a8c43db346f24fde6037297006e79b3c3b33e8a03eea08ed7dd5e445a810bca380a643e39dc04b6
SSDEEP

196608:/Xu6I5jwBnTLzj2dkWPJ7fx6BX5sndaZ20BScIWwJDQzG0S9tU/Sh1:dAKS/+5ogZ2EI30Sd1

Score

10^/10

neshta discovery evasion persistence ransomware spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2988	bcdedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Executes dropped EXE 4 IoCs

pid	Process
2424	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
1736	dpinst64.exe
3412	mtk_etw_log.exe

Loads dropped DLL 44 IoCs

pid	Process
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe
3412	mtk_etw_log.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\LogFiles\MediaTek\Log_Install\install.log	mtk_etw_log.exe
File opened for modification	C:\Windows\system32\LogFiles\MediaTek\Log_Install\install.log	mtk_etw_log.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\CDC\x64\is-A461J.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\amd64\is-1FSR6.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\is-4G9LE.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\is-2F0G0.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File created	C:\Program Files\MediaTek\SP Driver\Manual\is-GGUSU.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File created	C:\Program Files\MediaTek\SP Driver\drv\Android\i386\is-P2B8N.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\CDC\is-AKQF2.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\Program Files\MediaTek\SP Driver\unins000.dat	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\is-737NF.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File created	C:\Program Files\MediaTek\SP Driver\drv\CDC\is-M934U.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\unins000.dat	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File created	C:\Program Files\MediaTek\SP Driver\drv\is-1VCPQ.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files (x86)\MediaTek\MediaTek COM_LOG\UninstallLog.exe	mtk_etw_log.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\Tools\is-N8AV7.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File created	C:\Program Files\MediaTek\SP Driver\drv\is-SM1DV.tmp	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinst64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtk_etw_log.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	logman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023bff-171.dat	nsis_installer_1
behavioral2/files/0x0008000000023bff-171.dat	nsis_installer_2

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 2424	3832	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	83
PID 3832 wrote to memory of 2424	3832	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	83
PID 3832 wrote to memory of 2424	3832	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	83
PID 2424 wrote to memory of 4536	2424	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	84
PID 2424 wrote to memory of 4536	2424	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	84
PID 2424 wrote to memory of 4536	2424	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe	84
PID 4536 wrote to memory of 2988	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	95
PID 4536 wrote to memory of 2988	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	95
PID 4536 wrote to memory of 1736	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	97
PID 4536 wrote to memory of 1736	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	97
PID 4536 wrote to memory of 3412	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	100
PID 4536 wrote to memory of 3412	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	100
PID 4536 wrote to memory of 3412	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	100
PID 3412 wrote to memory of 1968	3412	mtk_etw_log.exe	102
PID 3412 wrote to memory of 1968	3412	mtk_etw_log.exe	102
PID 3412 wrote to memory of 1968	3412	mtk_etw_log.exe	102
PID 4536 wrote to memory of 3208	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	104
PID 4536 wrote to memory of 3208	4536	4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp	104

C:\Users\Admin\AppData\Local\Temp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
"C:\Users\Admin\AppData\Local\Temp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\3582-490\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\is-KLKJD.tmp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KLKJD.tmp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp" /SL5="$A0052,9270631,140800,C:\Users\Admin\AppData\Local\Temp\3582-490\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\system32\bcdedit.exe
      "C:\Windows\system32\bcdedit" /set testsigning OFF
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2988
  - - C:\Program Files\MediaTek\SP Driver\drv\dpinst64.exe
      "C:\Program Files\MediaTek\SP Driver\drv\dpinst64.exe" /SE /SA /LM /F /A /path "C:\Program Files\MediaTek\SP Driver\drv"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1736
  - - C:\Program Files\MediaTek\SP Driver\Tools\mtk_etw_log.exe
      "C:\Program Files\MediaTek\SP Driver\Tools\mtk_etw_log.exe" /S /Vendor=MediaTek /LoggerName=COM_LOG /MaxFileSize=512 /FileMax=10 /Guid=8ffa488b-07d9-4ef5-b1b2-a0bea188dc1b /EnableLevel=4 /EnableFlags=0xffffff /D="C:\Program Files\MediaTek\SP Driver\.."
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\logman.exe
        
        logman.exe create trace MediaTek_COM_LOG_INIT -mode 0x8002 -ln MediaTek_COM_LOG_INIT -max 512 -ft 1 -o C:\Windows\system32\LogFiles\WMI\MediaTek\COM_LOG.etl.001 -p {8ffa488b-07d9-4ef5-b1b2-a0bea188dc1b} 0xffffff 4 -f bin -a -ets
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\MediaTek\SP Driver\Tools\ADB_add_VID.bat""
      4⤵
      PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
d9e8a1fa55faebd36ed2342fedefbedd

SHA1
c25cc7f0035488de9c5df0121a09b5100e1c28e9

SHA256
bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a

SHA512
134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

Download Submit
C:\Program Files\MediaTek\SP Driver\Tools\ADB_add_VID.bat

Filesize
407B

MD5
85db235da3d4e2b9f084e39fa9760463

SHA1
a1ad8257cb42216afa3af3ba2aa4ea6b68cdb217

SHA256
18c02d8226815b96a19793fad77fdd96fbc62324e37baf0c442f949fa382f31d

SHA512
63176742e96fecd24574103948847110dfd35fbdc3c550e16f3aa9d1172da0c8751fda5aec18fe0506df6bfc9ea4a8abf6b50db19c0049bc112b9d110a7293c3

Download Submit
C:\Program Files\MediaTek\SP Driver\Tools\mtk_etw_log.exe

Filesize
139KB

MD5
6bd6fd45992daefc0f073a980faa0f39

SHA1
ace2449dd7829584a4437a8d47806dff5566a53e

SHA256
3f06256b8a30c3d399be597a6c4dfd495509761e5704a5650abe955fe974be43

SHA512
82a8d6bace73d88c0a0f13793f96851525efc5b71e1da19b6f6f9b7eb7774e2fd70d332ec8ee8f2b1229642bdc987b99f1a87651628731a4d2058af0067151d0

Download Submit
C:\Program Files\MediaTek\SP Driver\drv\dpinst64.exe

Filesize
1.0MB

MD5
be3c79033fa8302002d9d3a6752f2263

SHA1
a01147731f2e500282eca5ece149bcc5423b59d6

SHA256
181bf85d3b5900ff8abed34bc415afc37fc322d9d7702e14d144f96a908f5cab

SHA512
77097f220cc6d22112b314d3e42b6eedb9ccd72beb655b34656326c2c63fb9209977ddac20e9c53c4ec7ccc8ea6910f400f050f4b0cb98c9f42f89617965aaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.exe

Filesize
9.2MB

MD5
1f1464f138ee6a761ead14bae74b74dd

SHA1
47e0b1f0129655c0915123274474df65b71fb596

SHA256
9c214247f111581e3f4b954f4ffb42b4afba96b34156c1b3e6447f0f783d4d93

SHA512
e7af049fad94b31aa27c3d07f356dda462a6e8a67f553a50e811ab49e57355a4091323623e9249bb9a2fc815c52544c3befb2bbd812f019bc395474b94f89967

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLKJD.tmp\4c32908819404adcaed8a34990beb66595c3641b4ef83b50b5ffb170e543edec.tmp

Filesize
1.1MB

MD5
8fd32d871dfd28c4519cd9c96a120026

SHA1
5bd078aabbc46eb2a04de766dccbc82a6782aef9

SHA256
0c340a0c550cde8d73f7b109416faf9a1243c5bebcc5477123cb97028ba01088

SHA512
86a83f54723ba2d90109edf3f26739e4798b756ec7dd04e50a9cc3eb9075d9f213f1074057b01af55e3fe980a6fef2bea8bffefe0cb6e25b95f7ae42e0fa96e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu413.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu413.tmp\Time.dll

Filesize
14KB

MD5
8676721a04a174016e5d3f3c554302f1

SHA1
5f230d048560e70bfcb05aace39ad349bc8ff0aa

SHA256
700cf2c2ae144ad688a33d2df320b415425749e1ee87b9ae61edcb42650a1390

SHA512
aa54460dbfe691ece82080df64af98eaf66374060bbf85d8e48e17ec0ab296489a9822c6e8020d5809481e90b1fec9f0558559a0f096ab0452502f7a404a2d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu413.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu413.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
C:\Windows\System32\LogFiles\MediaTek\Log_Install\install.log

Filesize
635B

MD5
02ecd79b8ec6189a506e5619287d3122

SHA1
2e495521f1bb0cea1283766d27fb6684c7213bcc

SHA256
d923bd62830dcd779606ec3f0388b57e52c1d9929d8446e45083a2c53f905e8b

SHA512
35a2e020616a4524e14d36a9cdfa679a916fd6d7300fa82e66248c5e7ef66dfa1a4571cf643702167f9826eff4db424aab4ff0061f469672bc42fdeb227551e3

Download Submit
memory/2424-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-15-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2424-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3412-194-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/3832-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3832-167-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3832-111-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3832-343-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4536-169-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4536-162-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4536-110-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4536-346-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/4536-20-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads