neshta | 56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bf

Analysis

max time kernel
107s
max time network
81s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
Size

1.8MB
MD5

64a042a27bd81a7c49a721e7ed29cfd0
SHA1

67496d49dbb5088bd93a51c2d312af42d92b288d
SHA256

56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bf
SHA512

23d99609a856e5dc7e965ca8a22eb8487f5719bfd201704f75669fe0b7da59db03663c396aab0f89d7720ba51abe7810ae8c4d712504ad314a2e311e58d8046d
SSDEEP

6144:k9k/uXEnYjMgrB9aQHzqEgRgeAOYs73ptq2xcqC4PQB3O23dXZ:WWYowTqXWs7322xc14PO3O23n

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-10.dat	family_neshta
behavioral1/memory/524-83-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/524-516-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/524-517-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/524-519-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 1 IoCs

pid	Process
2552	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe

Loads dropped DLL 2 IoCs

pid	Process
524	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
524	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64431581-BDE1-11EF-98B1-E20EBDDD16B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000ddd6ba6811474756d1b0515fe118dbf1294c2d58057e50670163816424fbba9b000000000e800000000200002000000053c29367e51191fc5582b25cf874a0ff1b7d5f69550af65951c3d258bc8b1c64900000004565712c67577d6797a52b7ef460b097e625e66fe7e518e79d5a53cb169c4ac9181d5e80a6a1728ec49b494f045ece47802c62a7df0b4c8a545373f725dab9a530cc91b59d84da9d92521c8def0f9183d0be3c4869bb6881a59eb82b62c8b19d8b6801e169fa580a7f91f9d109b65f4b4e8afa57397ba570f67d6fc43cfc92f1978e66469f234d0f22f7e00e9101e8e44000000057e73fe4e44c7600665eb9d3b4b0c8bdcf6e92f20867ee48421f734c255e07af4334979460a4f048e7dce66ac15212c3f16d5cd67a7313a7d6732256d79a3828	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000d7e479f61e4ae575733572d2dce27f6f80194041a2f9456f8097e10ab6161636000000000e80000000020000200000003eac6db8b9ddedcbf58a88e674eed9c2893fdde631d4e2af7cc384ddfe4c53da2000000009590a2f6b0490a298c7a0cf96260ad9d0f92e4c9127a5d4699ab010385d1e1e400000000bc325e23b016afeb1f4d5870ad1e9f42251b18c15a5f8dd6ddf8b4a93f882f62edb916a7d4ac618fb3e5c7d7b14d52b6d1b14a7b5dd0ea0e248c928c3599fb6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60522b3cee51db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440757992"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
772	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
772	iexplore.exe
772	iexplore.exe
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE
2080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 2552	524	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe	31
PID 524 wrote to memory of 2552	524	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe	31
PID 524 wrote to memory of 2552	524	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe	31
PID 524 wrote to memory of 2552	524	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe	31
PID 2552 wrote to memory of 772	2552	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe	32
PID 2552 wrote to memory of 772	2552	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe	32
PID 2552 wrote to memory of 772	2552	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe	32
PID 2552 wrote to memory of 772	2552	56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe	32
PID 772 wrote to memory of 2080	772	iexplore.exe	33
PID 772 wrote to memory of 2080	772	iexplore.exe	33
PID 772 wrote to memory of 2080	772	iexplore.exe	33
PID 772 wrote to memory of 2080	772	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
"C:\Users\Admin\AppData\Local\Temp\56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\3582-490\56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://line.me/download
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:772 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
574c7d1630f0937bdf8d759521a86715

SHA1
7dd58999082258de44ae7f000eae9b4ef9283477

SHA256
60f5d33dfd54aa68b394b1ef4dfab4d9283be79e086727078d6f20c898cf1ae1

SHA512
a794b67663d44941134c0e460ad44aa8ea6b98db9b630e106e1b5199cc49a450859700ecb6ffea28e84e2f383c0cb856d5c3f973e9601dc1f9787d2c955368f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c995cb3bb552112e2303e6dc6a69c42c

SHA1
82b91a322d516655288e2041440b8959cb75daac

SHA256
cab96501eba60b64f870fd68ce966b7f073521b7a317bf8343d38903002584b6

SHA512
6ae5d35384d2a977da87d4aff3ab1a748781bc6c6ba11d6c4aa93461f473c08682b8125dabc270646cc1d226b7676ed7f585a44fcb2b42f0e712e994ab4ef58e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6428d876559d9afd7d3465a9b50031c

SHA1
2133ccb86ccb611d6009673d13c0609784ecce13

SHA256
2d2232d95da5e9e201297ed5bb3de5e88d38dbcdb41714596d7a2c0f12fe90ec

SHA512
980a303e286b70ba8a65684d7cad87937e17f8a0de66cebff9cca14199fac03885440b52233acb742e0eb4ee833add9e89900f4b83817a460decb9044b935602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b3c9a841de2dafbfc78462b69b989ed

SHA1
a770115b4df94531d0cb100e2fdef73267f8f9a4

SHA256
a4bbccc6e0a79566d716b830eca1fa4f0432f8b4f776a09460417212fe64c684

SHA512
be311c32488e4d1570df1c7c154f4126b21d90cd6f01c4dfe813973fad70ff7af368c58bc15aa275ab5c6b87d83fc47a828255c6af1ae62ec111428ae9e6896c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36792994230e050268ea94f638877447

SHA1
8ee1b0792d6459a770765e8d1ae7d4eefa3c63fc

SHA256
f17e2dd713f3494046179e8e77759e1cb63260b068bbbd719b3b3b08ee6f1e15

SHA512
4ca2d2eaa8022955967278e754b243646498dcbc90999c6008a70342b13b05057f814430fca9b9b1519316ed784f84d57227d2f2424c6cba2ea7d83b448f767c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f1e25f462120c005b487b8bebdd00a5

SHA1
8df91692e8150bc4f6093ad3ba2265e965d0b8cc

SHA256
54a17b5591f01de6fbeccf7974a184cdfc1274706d474fb38a2e2c7a3a6dbfa2

SHA512
0c5501365671483ae55e49fbbc46105040872e46e61c71b5b3884df5b6ef5085ca546e3b74e8997e019d2f6ceec92628642a6bf9ab3554a33158b58af959314d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1311b51c2d4213a3da8f189a87d6b323

SHA1
8a4b38fdceb16ce78551ff717f344cfa9af3f08b

SHA256
20a18f582cc64375914487b1502f5b302b6203bf921f531b11627cfaf28f262f

SHA512
d7d82ce1386e2aa7963e96e29bef143b4a7f7bcb906e66b156dad7708719214453eab6408205adf2476fc1933354c483d056c934775dd50392c058b75497e8e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
338e786176f50801c0768100cf356a6d

SHA1
15027c4c80dfda1e7b620193846707256cf8e5de

SHA256
f6e6ee15b117cefda59c3e39bd6ae0810b48e02814d88846bc44643df3eda316

SHA512
d6f93488f55cfe22f8cc3fc99c4763254637b5bff09638ec847261b87778a2c36f1918d9530ac846396dddc96ccae954abe02fcce5c7ad65f9ab72535689f195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2c361474d018ca23307bc253aa7eba9

SHA1
7d4354afefabe90b6ab800f3a082d497a885a8d3

SHA256
4cdfc0a150d480c7188b236b978e72210cbc1130d53cd990dacd98e71d6442ad

SHA512
fd6b5e82142669c12ff37447947968a6f4153a14943129de5787feb2c45be8485964378a8676807f6da8cf499958fde768054e431f881ef4953627f275b0a537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fd265949e8ae37558c05587e25b1b6b

SHA1
f752c8872bdab48b7f5271d3c37eefe73b51e2e1

SHA256
2de322f37725d9030337542ea71d82a936f4817556e75c6519fa8946b4275932

SHA512
f67f8ad9dae41195b6af971f9951e8be74a6791dc7f5af97ac955dc3a4d8e6b0303c9eecaccd1ec05c7b18b41e6f3f25082a200da256fd8a64ca45e5f64e49eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03912aace1fb29220f15ea607c78afe1

SHA1
3ecec6e413553135b2afad4e775521c88865dfe7

SHA256
362e44f6087349053eb3dd27021c826623478d977a88dfd62a1c1dc8a547248b

SHA512
684b2f472488ec0e678801bc1f3f4248d17e101b354842f58d9861926cc82ded351b2362893f75f3af002115d80bc0281d26c70acaa826788ea36ab39fb2bd42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1584482c978d7b9255b74dec6ac8555

SHA1
d2a14761787fe7e78d9957c30f603c53adc36de0

SHA256
b064d67804098afd044b3caad4e9232c0f39005c10489b0f27ee130f39e833b0

SHA512
74885aa1c9cd6f7b3c25b873068c7cf5db7c42f3361cb32ded7546f8d63b55f4aeff1b6ba73f947e24f376a3c3b82343ba2d7deee6d8a0f6e95b71b90c2f35da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
090a2d04e86401da1ac9eb2da191209f

SHA1
9251d8655eaeb9b69863014cd7faa4aad0e1ae9b

SHA256
05162dacb7a9bd8c44c612ea890eb6915e846978eec2a708f13183314ff2a8a9

SHA512
3103abdd73891ad1f3cdf86335f061bc9bae846a46002b02c2a6a3bc9a195ce985ca87b2e67539e414bfb1a468a053303f210422e633bcf4a6f1eb1edbd248de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a33b9c61b2020bd946d031de51af84cd

SHA1
6ef155e63cd78b1235c97711c4f89e2989b7873d

SHA256
4a306e852b9b6765430452c225be60048d808c7bd0de01e970a068db84c3bb0c

SHA512
2ac6a8c01dbf1c376093e03569ca4ca7b626e7a53838df462b97a4915790426da930704de270f328f3324808fef14775e0e117654f856ede1344a4a0f04fccf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
849f81361dec12b1bfac2740b324d1a2

SHA1
6afa548cb34abe92904c691b9b404cafa6801744

SHA256
426fb4074257cd56d9b8dd7ca60a1f2dfaa17003b8d67257209fe50c821422e1

SHA512
670c170803c25d4222f59a7f61344097f1d1d44fefe7d0f0188c38eb09812deeaa9de0106b1c2a67dfbff0d020c79ea4088b5f26d9c7491974a3f3b248ee0f0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47a77a6afe938b21b5b29d3d13fe21d9

SHA1
c7c98d4b564c7c3724189e87e472ab166c238973

SHA256
7ff79707d53185e75985ca40195305c0190b5c2df972f69feb50cf38b6dc6902

SHA512
ac526d7c7ce93966322830257f55df9d52206e79ef2e6f17206f5cdb8eac9f23e6e9f6a00c101da0b839eb772ebf83363b6b7a805415fa0dad3f4c3ba3384838

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5babe7a2f1476bb407a133cf4a6db608

SHA1
c347884cad815242da0ee9156ad6c35fcbe18525

SHA256
75f83d73bf1e6ce5a78506175ec573b6f7fd6836007692d5a492869cd971cb79

SHA512
03ac0dec9af27bf3fd07aa6ec5c3b3f8a2acf3d7bf42934048a29dcd37e830b6a6f6fd13f716a8cf7263529f80932ff9f23cb95f1982d82c4fd65247dc941b98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7bb54798b3db50386be26a336ec8cd4

SHA1
a6786e6bef9f073452ad2dad8a487354489b3ce3

SHA256
a131cd699563a99cfe377f79705338b34085451c1f5ff35182db9140a1c3025a

SHA512
e2957d7d4880a7e4150a28bd0581163bc8e436e261ab2d8ff451073cc70f17e3cb7147cdda231ab4219c1cb16bc33c4fec5731522840d7bd1e5fb89397c658ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18d6479cff46bb7a94926150e48e1345

SHA1
cf1a986025b145a1222647e55a7a0a690e648423

SHA256
dca98ea31f57802788c8e3608573be29adb7739782636356d74ace80060706cf

SHA512
9cc6a66baa210117b591160bfd9ba47eddc1d66d83c992f1ad03eb6345baba9fc4a9040f00edf6eb4b43997c1b2691453ca8bab5d70ae8350228fac6fe86a7ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd01504e58f0be9585529887062c8137

SHA1
7b917dc47118722ec89fd810c1b2e71ebb0acf59

SHA256
9562dfdf691221d08fede68d05b09d55bfff9c7495c80cb55b93fc5e94dba927

SHA512
c5fb225b61310dd9faaae11b28c1447d097c797eeedd97be984c1cc1589441a5987c65fb9138d0c19f487cf17688cdf2cd1886b868d75dd55d0848b503c07acf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a3f42305eb3620cb990386868e94c5a

SHA1
946b0721ea4f5adf99e3f6905f7011fb83e10ff3

SHA256
b1740ecbf99531ee93ad1981f9a6923586c3f801dbacf49af09bc6454a39c830

SHA512
f1609b6d99548a022fb4e142472619b33f128fbc026739bdffb4c01f47eca887ced23735428521dd33830d2e30e53e39327a1f9789c67e3d0ec17064912b5112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d83b6131fe5120b39e443f8f9be30e6

SHA1
e4beab697fec0750c8644717ee0ed73b759f75ae

SHA256
79cfde988b267f0da1dc24443e5393b3f6e8f8019821e02dba0dfa9a89604cde

SHA512
642e68a79230721aaa35de575eee6fb339998e55fa1321c315d94fdd315e7db10137d02373f95c00256d055ef60b5f9413915b6e8c02f8d04b0269858afe8f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2916.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar29E4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\56745fe2d08286e02d8aca21ae5b349d2557d514ea178dcdfd6c25cc029355bfN.exe

Filesize
1.7MB

MD5
43810744aa996d9612d81b2883fcadd9

SHA1
7e7d7ea5395baf4fddff80b1aa2385f1c4292c63

SHA256
746f34fda96d8dc8f1e49423d282923bd6aaefce18e5bb2e4ab614ac4c6d7cdf

SHA512
b7fcf3a14102b1913dc8ca45d88fb848cddbeec2b4ad6f5452ae603e1a82ac146a9ce82aba11bbccd35f6e50b9f824c555a61c7d9044977bd19b51b985737594

Download Submit
memory/524-519-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/524-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/524-516-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/524-517-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads