neshta | f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758e

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
Size

918KB
MD5

1d27999acfcb8c914369b50caf892cc0
SHA1

21e4fe1ece628822ec7bd578fa2fa82152cdd5ba
SHA256

f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758e
SHA512

dd624551465768d3bef4d9b1d0eb1e3afce9d2eca6e23e52a62a8d0a39c5b61d59fb0e9ce022b7d2d3b36a3cd79093c825d1f5877ac75801bcce35304671a5ad
SSDEEP

12288:0WDHzqGhX888888888888W88888888888pVHCxyIPfgFw/ktXoDXpz8WNlw7IK7f:0WbzqSL9CdAw3DXpTlwEKozienev

Score

10^/10

neshta discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020231-22.dat	family_neshta
behavioral2/memory/552-103-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/552-106-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/552-110-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5\ImagePath = "\\??\\C:\\Program Files\\Unlocker\\UnlockerDriver5.sys"	Unlocker.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 3 IoCs

pid	Process
2208	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
3636	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
4172	Unlocker.exe

Loads dropped DLL 1 IoCs

pid	Process
224	regsvr32.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File created	C:\Program Files\Unlocker\is-8CVM7.tmp	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File created	C:\Program Files\Unlocker\is-T93LI.tmp	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\Program Files\Unlocker\UnlockerCOM.dll	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\Program Files\Unlocker\Unlocker.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File created	C:\Program Files\Unlocker\unins000.dat	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\Program Files\Unlocker\UnlockerInject32.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File created	C:\Program Files\Unlocker\is-2JK3K.tmp	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File created	C:\Program Files\Unlocker\is-SCN9H.tmp	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File created	C:\Program Files\Unlocker\is-HHLVD.tmp	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Program Files\\Unlocker\\UnlockerCOM.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\software\classes\clsid\UnlockerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3636	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
3636	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
4172	Unlocker.exe
4172	Unlocker.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	Unlocker.exe
Token: SeLoadDriverPrivilege	4172	Unlocker.exe
Token: SeBackupPrivilege	4172	Unlocker.exe
Token: SeTakeOwnershipPrivilege	4172	Unlocker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3636	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2208	552	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	83
PID 552 wrote to memory of 2208	552	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	83
PID 552 wrote to memory of 2208	552	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	83
PID 2208 wrote to memory of 3636	2208	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	84
PID 2208 wrote to memory of 3636	2208	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	84
PID 2208 wrote to memory of 3636	2208	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe	84
PID 3636 wrote to memory of 224	3636	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	100
PID 3636 wrote to memory of 224	3636	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	100
PID 3636 wrote to memory of 4172	3636	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	102
PID 3636 wrote to memory of 4172	3636	f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp	102

C:\Users\Admin\AppData\Local\Temp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
"C:\Users\Admin\AppData\Local\Temp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\3582-490\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\is-8VDM1.tmp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8VDM1.tmp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp" /SL5="$801C2,364435,288768,C:\Users\Admin\AppData\Local\Temp\3582-490\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:224
  - - C:\Program Files\Unlocker\Unlocker.exe
      "C:\Program Files\Unlocker\Unlocker.exe"
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Suspicious behavior: LoadsDriver
      Suspicious use of AdjustPrivilegeToken
      PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Program Files\Unlocker\Unlocker.exe

Filesize
122KB

MD5
0a77f732624155a215f5ca54df9b2930

SHA1
172bdf71343dd6544cfbe04abbc3dec4535f7d84

SHA256
a0b651038c4301f70e4aea506eb90edc584a5c4ca46880c7dc2ae5eafa6dc506

SHA512
6482c9fc3b5ff9d5798deb9965b4dfab9ba62b889e921011696f29dd96b813194a59f76a52a88fa4962317c6a43a21122c857e4ca80c6c4360c2cee544117352

Download Submit
C:\Program Files\Unlocker\UnlockerCOM.dll

Filesize
19KB

MD5
5fe324d6c1dc481136742ab5fb8f6672

SHA1
02f2d4476006cecd771de3cbe247e432950ae916

SHA256
0a66b19bb38385a8879633dce1272b8acf1b4b264c88e254345ec249335b41b1

SHA512
faa76477503923d1c14a12f00d7d416e5fbb485560ea02ed1e6ef6337f9ad88bc612af241ea61c8f9003253ccf5f66b2c7ce4a508bb2adc761c4f36ac345195d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.exe

Filesize
878KB

MD5
f6f59d4775de8c1136ceb8edb9a13dfe

SHA1
1cfb8881793e3466d6195794b1a6ed2fcae1d3b9

SHA256
477d7a9a17cd99bb7ad7ed4ccf990878d3584d35e282b3cffe722589a375ac92

SHA512
bbb315581392e9e5d27085e2610429cb0f1b47986325af048201bafc2844aba2c258c99ea325180b60fb7ed989f9e907371a648635bb4cf90c17b6837ae4d8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8VDM1.tmp\f9629746167c524d7cc3e9c5b4d3b0fa36328dc45e58a544a05116f31abe758eN.tmp

Filesize
1.3MB

MD5
42af920b1f618923de9c1f037c2762d9

SHA1
15e551c85dae5cf8a4d88676dbdb405632f18781

SHA256
1bc73a44e2bc7a03eef59c518741e1c98548c4b4db37104b58e701389eaabe89

SHA512
1ee4ecbad38db9cdc6283241325c703d2ca8a9f9eef1b1b3474344f4b3622cf45a2c6e9ce461c7e7667153025ba1cae7226d62cf84a053e53d156fc56ff287d1

Download Submit
memory/552-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/552-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/552-110-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-11-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2208-14-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2208-148-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2208-104-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3636-105-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3636-114-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3636-112-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3636-108-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3636-145-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3636-147-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/3636-18-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download