neshta | f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758e

Analysis

max time kernel
52s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
Size

918KB
MD5

1d27999acfcb8c914369b50caf892cc0
SHA1

21e4fe1ece628822ec7bd578fa2fa82152cdd5ba
SHA256

f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758e
SHA512

dd624551465768d3bef4d9b1d0eb1e3afce9d2eca6e23e52a62a8d0a39c5b61d59fb0e9ce022b7d2d3b36a3cd79093c825d1f5877ac75801bcce35304671a5ad
SSDEEP

12288:0WDHzqGhX888888888888W88888888888pVHCxyIPfgFw/ktXoDXpz8WNlw7IK7f:0WbzqSL9CdAw3DXpTlwEKozienev

Score

10^/10

neshta discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010319-15.dat	family_neshta
behavioral1/memory/2076-94-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2076-98-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\UnlockerDriver5\ImagePath = "\\??\\C:\\Program Files\\Unlocker\\UnlockerDriver5.sys"	Unlocker.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 3 IoCs

pid	Process
2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
1216	Unlocker.exe

Loads dropped DLL 8 IoCs

pid	Process
2076	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
2076	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
1200	Process not Found
1756	regsvr32.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\Program Files\Unlocker\UnlockerInject32.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File created	C:\Program Files\Unlocker\unins000.dat	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\Program Files\Unlocker\unins000.dat	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File created	C:\Program Files\Unlocker\is-JDP1O.tmp	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File created	C:\Program Files\Unlocker\is-0NB2U.tmp	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Program Files\\Unlocker\\UnlockerCOM.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\clsid\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1216	Unlocker.exe
1216	Unlocker.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	Unlocker.exe
Token: SeLoadDriverPrivilege	1216	Unlocker.exe
Token: SeBackupPrivilege	1216	Unlocker.exe
Token: SeTakeOwnershipPrivilege	1216	Unlocker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2124	2076	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	30
PID 2076 wrote to memory of 2124	2076	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	30
PID 2076 wrote to memory of 2124	2076	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	30
PID 2076 wrote to memory of 2124	2076	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	30
PID 2124 wrote to memory of 1656	2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	31
PID 2124 wrote to memory of 1656	2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	31
PID 2124 wrote to memory of 1656	2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	31
PID 2124 wrote to memory of 1656	2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	31
PID 2124 wrote to memory of 1656	2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	31
PID 2124 wrote to memory of 1656	2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	31
PID 2124 wrote to memory of 1656	2124	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	31
PID 1656 wrote to memory of 1756	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	33
PID 1656 wrote to memory of 1756	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	33
PID 1656 wrote to memory of 1756	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	33
PID 1656 wrote to memory of 1756	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	33
PID 1656 wrote to memory of 1756	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	33
PID 1656 wrote to memory of 1756	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	33
PID 1656 wrote to memory of 1756	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	33
PID 1656 wrote to memory of 1216	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	35
PID 1656 wrote to memory of 1216	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	35
PID 1656 wrote to memory of 1216	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	35
PID 1656 wrote to memory of 1216	1656	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	35

C:\Users\Admin\AppData\Local\Temp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
"C:\Users\Admin\AppData\Local\Temp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\3582-490\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\is-UD35L.tmp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-UD35L.tmp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp" /SL5="$5010A,364435,288768,C:\Users\Admin\AppData\Local\Temp\3582-490\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1756
  - - C:\Program Files\Unlocker\Unlocker.exe
      "C:\Program Files\Unlocker\Unlocker.exe"
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Suspicious behavior: LoadsDriver
      Suspicious use of AdjustPrivilegeToken
      PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Program Files\Unlocker\Unlocker.exe

Filesize
122KB

MD5
0a77f732624155a215f5ca54df9b2930

SHA1
172bdf71343dd6544cfbe04abbc3dec4535f7d84

SHA256
a0b651038c4301f70e4aea506eb90edc584a5c4ca46880c7dc2ae5eafa6dc506

SHA512
6482c9fc3b5ff9d5798deb9965b4dfab9ba62b889e921011696f29dd96b813194a59f76a52a88fa4962317c6a43a21122c857e4ca80c6c4360c2cee544117352

Download Submit
\Program Files\Unlocker\UnlockerCOM.dll

Filesize
19KB

MD5
5fe324d6c1dc481136742ab5fb8f6672

SHA1
02f2d4476006cecd771de3cbe247e432950ae916

SHA256
0a66b19bb38385a8879633dce1272b8acf1b4b264c88e254345ec249335b41b1

SHA512
faa76477503923d1c14a12f00d7d416e5fbb485560ea02ed1e6ef6337f9ad88bc612af241ea61c8f9003253ccf5f66b2c7ce4a508bb2adc761c4f36ac345195d

Download Submit
\Program Files\Unlocker\unins000.exe

Filesize
1.3MB

MD5
8b27b7b23334c6add3a9d9a300759d87

SHA1
51eb5625c3582326ccf8fa9453645c170d4b23c1

SHA256
cc330b3baed487799885c0da72f3c2e74cecfbb3de8c42b8a9bd6c87d0397567

SHA512
3b64a938ce782acf150629532a56fb9cd4dc17a3e77fb3c5e392a9700afe63ad3f2c733508fbb772b3a7b770a73ffd01a44255ccf4d5f6ccb87f21b9ed206b36

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Filesize
878KB

MD5
f6f59d4775de8c1136ceb8edb9a13dfe

SHA1
1cfb8881793e3466d6195794b1a6ed2fcae1d3b9

SHA256
477d7a9a17cd99bb7ad7ed4ccf990878d3584d35e282b3cffe722589a375ac92

SHA512
bbb315581392e9e5d27085e2610429cb0f1b47986325af048201bafc2844aba2c258c99ea325180b60fb7ed989f9e907371a648635bb4cf90c17b6837ae4d8ed

Download Submit
\Users\Admin\AppData\Local\Temp\is-UD35L.tmp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Filesize
1.3MB

MD5
42af920b1f618923de9c1f037c2762d9

SHA1
15e551c85dae5cf8a4d88676dbdb405632f18781

SHA256
1bc73a44e2bc7a03eef59c518741e1c98548c4b4db37104b58e701389eaabe89

SHA512
1ee4ecbad38db9cdc6283241325c703d2ca8a9f9eef1b1b3474344f4b3622cf45a2c6e9ce461c7e7667153025ba1cae7226d62cf84a053e53d156fc56ff287d1

Download Submit
memory/1656-20-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1656-96-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1656-100-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1656-102-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1656-104-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1656-138-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/1656-140-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/2076-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-94-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-95-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2124-11-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2124-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2124-141-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download