Analysis
-
max time kernel
121s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 20:42
Behavioral task
behavioral1
Sample
222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
Resource
win10v2004-20241007-en
General
-
Target
222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
-
Size
1.8MB
-
MD5
b2a57829bf508d6bdc1f13035ee89e00
-
SHA1
fc003983062a9ff565db96a746e97d7955307f25
-
SHA256
222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d
-
SHA512
ed267cdc479f5d7f7f36076c02c2a4417c121c79e80578a3bc64830c559a9a026c51de0505d05872bc39823354244d5ed82894c42acd86f1fb72d137661221ea
-
SSDEEP
6144:k9k/uXEnYjMgrB9aQHzqEgRgeAOYs7Aptq2xcqC4S3O23dXZ:WWYowTqXWs7A22xc14S3O23n
Malware Config
Signatures
-
Detect Neshta payload 3 IoCs
resource yara_rule behavioral1/files/0x0001000000010314-10.dat family_neshta behavioral1/memory/2400-83-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2400-89-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Executes dropped EXE 1 IoCs
pid Process 1328 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Loads dropped DLL 2 IoCs
pid Process 2400 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 2400 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A9261F1-BCB7-11EF-9A84-E699F793024F} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c3aa4f32c6048c47b8d102886cf0bcf8000000000200000000001066000000010000200000009e1f388da4136314cda01f67744d66bc14b8920aa91cf67438808acf12876bdc000000000e800000000200002000000010eca3e214fb0b65061f48ad7891a16ced35ba226172f988e8e65a69a6afdcb02000000028cce64fdd43b3e86c933b70d50e32e33454e88f8556a6bba178ed1afc8f4c164000000032c675ab882d42a22b5e1694984d30a6a86c1d6fb1daf4213d052b3f15cb896f1425149e4d401be5b49758560274d2be80798ff77828d9fe037493c2a6a1a5f5 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f9e641c450db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c3aa4f32c6048c47b8d102886cf0bcf800000000020000000000106600000001000020000000dfae0b20c56272d0c419dc1800556a40efb166f96c258be49ce801dfe265699b000000000e8000000002000020000000a1183e0b56df4eb48f4ed8a263842e1bf7b8840ff32b54f8b9e9e4cd8087d92f90000000af11c8d0630075c04190b06f1784fbc4b67c237c882eaaeba92ba8dfe3bd23c365d37d73efb882460de82c6a9bdc3048dff66c15fbb6924f93b1da4ff2436dac829463a52eee2f90a56ebaf0cddb72ad42570c80ab1c8a60c5398be5e830310d5b5725a6d36a8eba55e4d5d10f5ffbf783f937b4a7770640308df3156cb7705e93eb61a6ae9f98cd6a6c3e60ea6708434000000043c9001a94056ebd202fab8f1d29072e9fc0093df7cd8a5df615cbe189a9ef4b8b5f7beeea23ea6818a66647f01f045ad3dea5b74e1d001f29a54b08dd8549a0 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440630010" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2060 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2060 iexplore.exe 2060 iexplore.exe 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2400 wrote to memory of 1328 2400 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 30 PID 2400 wrote to memory of 1328 2400 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 30 PID 2400 wrote to memory of 1328 2400 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 30 PID 2400 wrote to memory of 1328 2400 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 30 PID 1328 wrote to memory of 2060 1328 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 31 PID 1328 wrote to memory of 2060 1328 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 31 PID 1328 wrote to memory of 2060 1328 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 31 PID 1328 wrote to memory of 2060 1328 222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe 31 PID 2060 wrote to memory of 2080 2060 iexplore.exe 32 PID 2060 wrote to memory of 2080 2060 iexplore.exe 32 PID 2060 wrote to memory of 2080 2060 iexplore.exe 32 PID 2060 wrote to memory of 2080 2060 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"C:\Users\Admin\AppData\Local\Temp\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://line.me/download3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2080
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b35b2efcdbb524f5b277a5b8cdfd83d7
SHA149802b37a0bf13c56b442ab3e277a60c18367aca
SHA2568b485030c4115d925f4d847ef730aa58e560229ac9cbf447a131226a9214c249
SHA5122852d408cb4883165f902fb35bc860a5741798e857f1da94d8e7918f723b6b2c9c7876d10bc28d166d22461186d0c6b8317b97e20899d39ef7616e98b1b0bd94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51289774d3ee35e9e1570db76c69b4a05
SHA112023e6604c2d0d796668cce2b24de8af89bb70c
SHA25668158ee2dd8f02d77ac25e664fa3722d84add5bab619e47d10652ebd2d5e7486
SHA51229da63f18ff369c3d0cac59f39dacb563987ee72017be00a127ee2676780fd28ec558ed1cd0f363d97e7a9994dee8573d31a8f5cddfbd2e4940fd78a8610f938
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535b1a5810a4632d9fd5e4b6c2a43f25f
SHA17a791d97747e6f5c5c020785bba20b1c5ed8dc4d
SHA25674cae1dbeeca4f60065b32195c9dff2ae0a57596831bce0a93e569644ef69c59
SHA512ab057f2d5313df227052462b28932580e3056f0f42fee25d35ee60854a9e4a8eb0c84775904b93917201a25ea3debfe6888a69083906a4f981b6da035ebd2f51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578e85cda9594e93abf0b0e8a5e7b269f
SHA13591725d4e6c16acb3d958684811c0616afdfa2f
SHA256efc337e96cca9623d65bd444d3c438d527182223d21a9ba57ce68a57ddf7de53
SHA512dfa350daeb12c64db96603b504926e33efa65a5e7a31e3c2d65367339696301bba9a03a2447b78c6891bf688bd0d07cc63d000fabc1dd11d361c6b81c6043497
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ede2f4cfb028821e0d2eb79cee31b807
SHA147eece9bfceb5242b7e5a9accc45411b6c8992a6
SHA256b17c02a4945d7dd96664fc2cab0a9e95cdcb4d5e3008263b25ca48dd3dbac3a4
SHA512bf52d076fbfe376995a509af774ae6e683b623034358f03f5603bbe584c7eed81746e09bfa7b64c270d5c40fade945a91d473c131fcd7f2fb7534104bb9e0a66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7d7056e4481cd0a106ecac5fa50d45c
SHA176948701003f7c52aa6d3335005c6395a214e287
SHA256c683adf29cd308f8fd5cf99a26d1004871e9f2b60708e0f7bb83ecbf7f90f384
SHA5120a668702ed474b7729aa5ec4995ca11af079172a733c191a66efb777668df850d499305f7e0e59d4c0a161b2b892dc706913aa66a808ef8dbb848c613186c9ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57ce69feae30761a8f21c514863606072
SHA1aa3b1a134e29e7ff26fa1e7d8650fc9337dc2990
SHA2561da5f76d2e9b197cc5dc62138886a35c617550790a4c1dab2fc9e5158d0f9c74
SHA512f54ab6fc68309f1e6cc2fb851a686d65013b559375f1167b3426b7d1099df21cccecb78049a54b160978a06b55fa98043c1875e7143d9447e0caa09d6370876d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59df2d1f326dcfa179c2915a6ecb2879f
SHA192fa15e22f872c189dfe07e57c166b8527686d6f
SHA25658739f45f41c2d8143caa933c317e7f361ea4fe6c2bff946a7153706fcf1828b
SHA5120d695312e4aa82a76e911d0f378f2797c33670df2ebe87ed705acebca028c0c6400f48a6528ab3d3b47b81f9b6d30035baa3ce3d6891928616cd308a1ea7ace1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD571589ba713c0663263fb0ecd2dcfde50
SHA134d91a8a196320aa2fdc9601b81711d49e870a51
SHA2569c2efbffd25ff3ebdcb0b9243cd4e5219e0b20b1e74ee70146e8f232c7d6a209
SHA512440948f1fda17a62186d7a5a60f8a8370dd239d80fc2b093f3b7d692203aad9caa59d247a63e972ded4e078cac5eaf1e9c6c32d3ce4cb0aa85749829c0fdd44d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e28b3dd9a52a80d744a7c246fffd029
SHA124f4db82cd6ffe500d9fc9abc1b3431735b2c4a4
SHA256008e88aa2f266f64fb79d14d7fb7934d893d7fecc7062aba6c040a658a2de63f
SHA512078437c8d991d55f2150d5d496441a017acad1e469e4351adc2b2c0585b7b5f3c5d74cd4da5251fbd9ce02e0e03a6afb98e7c7c7d370eb4d8142612592c6eb9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a8c6d7e25e38baead339f7d32406de1
SHA13cb5c81b160d76a606140eaef8812c7f7ff82cb1
SHA256b4db350799d60c98bd73a4a80cd9b29911e1298c0c8802a231b52b6539055c96
SHA512cf10c917f8adb29d146e668d605c65195afefc47d91cf6b029b3f8f6cce4c486b0b123b16e06acefb92d3e3020ed2a967be0225b985a253b3997126937167592
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD528ea027a699bee22b6b143710e7335ee
SHA15bf8346a09f3136f745def83d2a0cea9700c663c
SHA256658bd8f38fc8838879d357c387abfd21685155c28bfcbb212a0cd259ecc4b0be
SHA512eb9436840974f1a0b0e37c7a4ee712412ca5b042d566b0733dee05567827c14091be4378d0f57c3ab812254512bca0e68b0546eb0d1fe7fa31d340ad97b4048a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53d4c933f424a1942fb01cdf958a7aaf2
SHA1f12b56265564d42bb4172aeecaaa4a21aca15fb5
SHA2564b5c88e5cbcd6807d449e05772d34b224c35c7c76524cc725160c73573ba4e95
SHA512db66668193bdb2e889d11b6089ca68327123238621d0607d00c8c38f10744dfeba50e58f64dd3cc03aef45ff7bc6ca452a70a731cc9627bb994414f9a58d9459
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b38cf4f26d9c7f22245f8e0006da999e
SHA1bf8195a0a2af4bf264067d8d86c3a80c7346f181
SHA256a67bc1b533bc8a5affa7584e85ed7434a5673bd657029ebc42039685fa64ab19
SHA512ef9d9727fe6a191a8ba0cc1e98581c7c219ab5cef40254f1e8fc60309b968df134c7cba482bfdb064d9b5fb37d9a26ab0a81114f906b40d11acf7a599e1eff14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c9fe14e3bbdd355ad908a4efc8d19a05
SHA19292bff260485533ffec6137059a4e53a37cb8fa
SHA2563b944e019d9ac8ce191b65a1f61c8ecb8f796fa096fae96d0887d915b1473006
SHA512d096a9c98d73e4ebd42ec527ab0167e2ec59e3c518c1631b2f695323a87fb6790be46285aa7d9631d6707cd4a6d328cd4b3bbddd055b465338e93c08c05e3b25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56fce219bc41bac2f1242e6d1973f9851
SHA1e974bca9751c94b5f5e3c3ac4b5599b5f9d00793
SHA256b58c03b31ea6b8c7781afcfdbceaa67cc1bea801f9f5ca9b3aa8733a74982921
SHA5121f9e0ea8a375244d5ecd4b0eb7ef7a1b79f5dc3b3d68b1a2adb185f22bd0834f1ea65694300fbfce1c2378a896de31b9fcd7bd1d693d040a04cb17ea954c91ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5059055684e15e30f896333be18a7ae27
SHA12057c81dc540bf2abea5950fd5a2cae4d3a84b2f
SHA2564cca7a409c9c49985dfa38ab72a3b46cd2a9be7fe1f0d74bd014c4d7348f6c62
SHA512ec4c7de5d27fbf9244f1ca5028f0a96198d268f678db01e711d6fca66df82a1b3639b97623b0e0427fe5bb3cf273d40e7617fcc925008e7cde8d5eb0133b6ccc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD549b4e1d564f83216a99aa1f152157eb6
SHA1e6026bdd4ece76315cc17aced5dfd674aac85a0b
SHA256a1911940e84e93040a33808dfc3860f8709862a1e5cb408c0332499b415a9449
SHA5122faec54a840c5eb2c8d51b174adc024cbf2b9781cc42320d11b9cd71458a208c7c373739e5bc9749f40653c2dfc413321ab37c2f72ccc21289152e3c6a065feb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5285f7d01388a74be115a9c9cee7caf06
SHA120417147acf437d81c46fd8aeb49cacff8de0e71
SHA25685d9a2bca19d873b823020e6c0cfd4554572a91f70fc9bd3e6ba967848325dc2
SHA512c14edaa51858da9b410640ef0d78851fab3a7970d147275d1f50d8cf7420cc6b186058979fb54f21c41236b81573cc1002fdc43d3e63ba377921185bc43ea0d3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\222194685466fcfa1acfa6a1135d6b6b0f2093dfdc16e1faa1fe228fcc657f6d.exe
Filesize1.7MB
MD588b025628d6a11f175efc3e408f15bc7
SHA19052d13959414970d1101dc015373b2b6f3db491
SHA256c989d724540a41e68eabd23badfb429d61745af88444e26fdd38a2f4ef64a8d6
SHA5128f6caa9da491a40eb6c74f1d4addc82b6a169d4624375efc88a3dadbec3968a07017cd1e9d609a9c9023a5afb2994af59d41822e7a3539e1f5ba2512f9522f40