Analysis
-
max time kernel
120s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 20:35
Behavioral task
behavioral1
Sample
222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
Resource
win10v2004-20241007-en
General
-
Target
222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
-
Size
1.8MB
-
MD5
b2a57829bf508d6bdc1f13035ee89e00
-
SHA1
fc003983062a9ff565db96a746e97d7955307f25
-
SHA256
222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d
-
SHA512
ed267cdc479f5d7f7f36076c02c2a4417c121c79e80578a3bc64830c559a9a026c51de0505d05872bc39823354244d5ed82894c42acd86f1fb72d137661221ea
-
SSDEEP
6144:k9k/uXEnYjMgrB9aQHzqEgRgeAOYs7Aptq2xcqC4S3O23dXZ:WWYowTqXWs7A22xc14S3O23n
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
resource yara_rule behavioral1/files/0x0001000000010314-9.dat family_neshta behavioral1/memory/2332-83-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2332-89-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 1 IoCs
pid Process 2708 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Loads dropped DLL 2 IoCs
pid Process 2332 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 2332 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eaaa71e2a39b4642873acb4713187d7600000000020000000000106600000001000020000000b1e064b887ca073505fc3ad6393cc17ee2e660e1dfbb62c97030dd75d0ff7d20000000000e8000000002000020000000cf3f972d22a7e4a39a8e45d1926de3c0f325d8bfae11a3093244504212b33977200000000057f78f686a27a0c36e97c60fe0314a3f75252b2b172dcf176c93b8a7d9b3514000000084a1ab367366a21d36f9e1b3ae74d838db1166ed78be9dcf412ac56f223d0cff441c3114b0432a85bca196e72a78b6f7232b2f5cc5b3c98f507c68128b31e3df iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0006235ec350db01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eaaa71e2a39b4642873acb4713187d7600000000020000000000106600000001000020000000f3c5068a52aea52277950b0de75133adc009da3fd96d0fe0195725cefc255d40000000000e80000000020000200000009beac58f1e30e4a9ce79eb9eb47f782de81d5db847e6a9ef6e9718c42ec109019000000061845c9c8b50e0e61653d3db4db908346bcd0a277a4ac694f1a9816603404bd7e1b885c3bc7dffadd99cfa1e823cbd91457d01cc1ae4ddadad57d61cf148b9242d7242189f4a8216c95a09da2522a942e2735a982f6d063da763dbb20f6b2581dc0e5fcd96bd0dae1f9131e0df3835b35c13b36060609b06105ed62a0c34e123d18d5bea2b5e177ffebd988e286d891f40000000ffeebb336a02e1b5fe93479844b78952f99452a0ae090513b0edca7d471fe8c8e72d3637e4f47679c661b513c494a709500692bb6d005748ee51998c6a6c8f84 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86DA4D11-BCB6-11EF-BDBD-E62D5E492327} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440629628" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2652 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2652 iexplore.exe 2652 iexplore.exe 2680 IEXPLORE.EXE 2680 IEXPLORE.EXE 2680 IEXPLORE.EXE 2680 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2708 2332 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 30 PID 2332 wrote to memory of 2708 2332 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 30 PID 2332 wrote to memory of 2708 2332 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 30 PID 2332 wrote to memory of 2708 2332 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 30 PID 2708 wrote to memory of 2652 2708 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 31 PID 2708 wrote to memory of 2652 2708 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 31 PID 2708 wrote to memory of 2652 2708 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 31 PID 2708 wrote to memory of 2652 2708 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 31 PID 2652 wrote to memory of 2680 2652 iexplore.exe 32 PID 2652 wrote to memory of 2680 2652 iexplore.exe 32 PID 2652 wrote to memory of 2680 2652 iexplore.exe 32 PID 2652 wrote to memory of 2680 2652 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"C:\Users\Admin\AppData\Local\Temp\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://line.me/download3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7cf94ce7e862dadcc681845c83db9bd
SHA1083eeeb6d770bd8766836775126fb8eaa70642c7
SHA2566ee4b4f30e077ecdfb7d51ff45b83033559235e8287a043f6b241b578533fdcf
SHA51256d5bdd52c9bb3ee88e15e51e37e5a9ffed416dd23c7c05de88a9f8e398710a419c3b3219067408db5c319e0d943b35d1b9c7f912eb1368c5c2f2a1ef995c99f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d425a935f01bd7703a1185794f299935
SHA1237b21a4de07eee4bd32cb928aaded7297bbbdaa
SHA2569cf0b93e455a7fdb9a34f4bf712072d8f56efc4a39fc136ba72e474472cfb02f
SHA512cfa7d02243176b5e998dbf48428b802b8a7a221b3e080d647bb26851c250470daa357830de58af1efe1b8b6649bae71ef56972612ef9e32319a590b5cd0a76fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD576312fc81d23b8f0b3c7184410e8e392
SHA1c1735b78ef000d29e8bb68848a6393a18ab4374d
SHA25639139c66d2439e772982f6f5574bc791c2a55857533fbece510522630e68c7a2
SHA5126c34b2cb57e37a704b32a14d9409053926e9795313fa4cae15fd5c26cc9bdc00fd60e13f13bab15a08e6897a1ac873175ab55a4ebf34ef05f0adaa46584d64bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54e64a29f27a265e31a951799899c30b2
SHA1fd05b25c81bb867bbcddfa86de1eb38663b6f280
SHA256ac43b2fa24fcaeeb2ca3d63b56c59d87c6a461b3eddaec13d5ffcbd02335dd95
SHA512eb9f605f8b44a3be2588b5aef673b6ed6a66e1be6248eec5d4ca560bd659879efde17bc8001e359e40df7c5c515ae2d68463d414abc1c3eb42f8a3c83f288d12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59579b09a08a3b4adc76d801224636af7
SHA11f24c313a5307be63bc5daad0a660ddf7a7fafd0
SHA25651ab83420acf2997c5df2aaa6f01b446e2a92216c9a8b8f2a03ecdd296de2204
SHA512f9d781d0922e5ff8293678217dfdec711443e1db247b98d3a14502800b6a02f432dc0d71eeba3142eb07ed62a3b7d346eb637d69c9ff6da9a9595f5c4d5dfeab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59e0763f3deea27007487b11746929202
SHA12115695698c507842935302c43f96efa608b583d
SHA256f5d54d3f072a0df9f3c275d2e44006b242ce80aa5e7e12933e4147a9208eae9c
SHA512b3a51e42f612f23b7a1cc45cdfef2211c359677786ea21544752b6e2efe1ec96f3a0681a91fd1080b5658efdbb34923f9e2644f546cc7ec463cf71bc663371ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec0d32486e6e09bdeacaacfe5300db06
SHA1ade6b28fdcd1092ef200065a927a0f65c07b2481
SHA2562b6d902d5f518807094c071512f8d25fca83fd80f825e6deb5e1ad7f34153d33
SHA51294afdf328cc50ba74c452baf8593ea75dd83267a9674c87ae57ec597f8c1c866b739c1aa9a47072e327a31ee2125a612c47a8fe669f997b92427b015dbd7bfde
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aaabd09c00046728d7737634bd17d3b3
SHA1d05f51c0f7adacdb09f9f96c8305f9a7436ec9df
SHA2564c4b97fe52b7de4d7950bdb37dc7d68ab8994fbb3c3786cca0c39c0ce9557f12
SHA51211db68450c676e49f868398ce3afded22a9af1621b3db2ce20dc07ddf041b86bcc0125ed643c4c796a5ad7a9ae41d757e9219baeb064cf4008ee95b7a12eefd7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548492d6208add7dbfc07a2e1470539dd
SHA1e32575915ab9ec91d2253cc1abdff6ee28789740
SHA256835e2e1f40fb67fae714ce4a7d311500e48ba56a63f24ff65e0190c10fcb294a
SHA512a2b6a33689337b418c1b656a195a599d0cef86e4db60bc0dcb073f3123e68ff40b399e87a8a48a180a93fb22d3e2e36c2fa441a57948191431089e83e5e2d73c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ace463f255cf8a979301d5c97eb2dd4
SHA1b714b0f03d759053aa07d90b62dbd4bb9583b898
SHA256ed9da24587abb6840beeec5a627c64e36c89585ee66c4bb68b851c607e2d542f
SHA51209b03faf5e82f52eda586cb28109531f6789883fe7ef53dda4d2a65078006be6ba597d2dba247fb9024a91d0dce6f7d7664971c6c71bfcd91fe7d4b2f53e1981
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50da9189c0205b6d7929cba3e287be74d
SHA129e760cc1cbb5e974af455a4670501102509a935
SHA256c871147b51f312ec3fbfead1ec22b689199e71eb55d0cd82a20eda77e237fc4e
SHA5126779260b2e201a1e732f20e2e3f24e28a09417eb6ed523128dc7e10cfe2c2fe4ea9e9bc02d41d154da58b3439518eed352413fd32d6b667fa2ed674051b92346
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508b7da0e96c59f60b5fa9e21eb0b74f6
SHA15c5989882600f7a0c4344db815242fd15f1d1633
SHA256a4d3ee56f148d2d1cb5cc0e73186e210d9e00fe02fdb88f6135f82c91ebeb16a
SHA5121c9971fe9fb1c0c9ef1187aa1d708b34c32f5f3068cc8f2503ee8b4759fec5d7fff6d6f350c36ceea0c1a98fdcc6cd3f0b987dfdc0f021f87f108d047cfcf3ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD543ba6e385551dc3c172692bd6b1945e0
SHA124598462007107b461a69eed24df8563a88666db
SHA256087d1235227981b99c8275b7eca0b53b3fc0b63c23b4e671710d9f43ef357b3f
SHA5124702e1831b1a171f8d7f4438c6297ea2caf6627d53f414daeaec186ea35b01594b92ff5ba291797ae6de8b54d548b3086ff1332eef81c4efe0fdea74bfc1f496
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dfba65ff7d72e8973860d21aa431df78
SHA1b8d3155fc73aeef2581d1db8f786814a4ab77602
SHA256460c60b3978e514de8839c1f12d748632291c623f28e220d4c72c1ad85134cd3
SHA5129469cc8f5e92ef5da78e575f4e638e768ca735f98262ad97d8ef9ec8b9235f732dbc38d27d7bc6356988c6806c814c80131b8a99dca36c1a3ce960504afaff71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5377b1083bbb30d2a7a2a089566bd2e91
SHA15ff25bb2bb316a431a2db4c5fbafa46c0aa6dfec
SHA256063816cff843b887438de8646c1c2f9ab0a16c7efbec0ae22cf435e364e2b5f3
SHA512ffa207e6d7b710e2152d5669fd92294f1a2da7e10ccac19b7ef32f600743492b65dafe3bde1ee954c29276032b034008e85016c8cd6ef096ed19b61192afa0a4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d537866db60fd0d597be8ed2d1f7d39a
SHA13fcf4f07abe2d85ba51ebc3fe488f421e6b5dacc
SHA256a2bb97176eb177374d5be85e5a0b659d6b882f1daeba53a513b1eab9e88411ac
SHA512c58cb13f30ca94d79568987d7c2a3bfd44f55abcc136e080d66883d40a092780b94da692df3c3d8ef371788ab74688ebdf9f07836efb992eb1870d9589ce834a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5098f980d18493322e320746cf05f6d2d
SHA12cceb8b27fa557052bc3525ed905431172a58d9d
SHA2569cc80fcf1b78131c5b5f08b2cde795a0048b0af1b27c3fb4dcf4e6421f95eda3
SHA51256ebf7be7a3485e94f137dd900c7a1842cff0dad9b2daf6876aa6a011dfbbb94db906db932d8d2ea80b63a4b6702068b72728b8410fa24746f55e2951712580f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD501ed0649eafc2a1c84e818f889406c17
SHA10005bc3e822de130091d300ca15241e9b02fedb1
SHA25676c0a746f21a0aab0dfb27123f0f4bd4b01d92f9538b461939c23d68b44140e0
SHA512dc3ecc2041335db165a0c6cfc4463fd3d51673c04e378526159d726cb97e9da88ae521c42536dd4b48556f1d123fff2757b00a1fa1fc6c2ce24d0eef6c6e020e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53380484afed2ab9b833dbd31aef35af4
SHA1b880ce515fe999ffc5f4b2fa9098d3c0ca0c8f97
SHA2566584ee79c27525d15c2fb780299ce1360a9c1bace1211f950bf848ea5feef546
SHA512d116d7e1d1c1ecc0b214818a5fc397e21fd32a67aa422a9f6650c97ffcad06fb6f9a30b52adbd65f59223a63e9054bf3e0ccc3557ff984585e4a58603bc7529f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
Filesize1.7MB
MD588b025628d6a11f175efc3e408f15bc7
SHA19052d13959414970d1101dc015373b2b6f3db491
SHA256c989d724540a41e68eabd23badfb429d61745af88444e26fdd38a2f4ef64a8d6
SHA5128f6caa9da491a40eb6c74f1d4addc82b6a169d4624375efc88a3dadbec3968a07017cd1e9d609a9c9023a5afb2994af59d41822e7a3539e1f5ba2512f9522f40