neshta | 8347f09726c227a84c5c051c3cf8e8754969440608eba9f149f6c62f64f9fda0

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
Size

460KB
MD5

b94b826c85f65dc56bd8a15af66ee0ff
SHA1

4d485a02a72fe62dfc308b01826ec0c37170053f
SHA256

8347f09726c227a84c5c051c3cf8e8754969440608eba9f149f6c62f64f9fda0
SHA512

a1cbd3090c19b321379f35a235249e3dd0c076e316217f020c00047f8a498344295a6f0d992e773ea83bcfc45140c02b933132637f23a59802ede42fc59709c7
SSDEEP

12288:B5hVCw+jfJX2iazXZXsFy+n/GoJ+3Pj1d:B5hVD+jfpabwuz3r1

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001227e-38.dat	family_neshta
behavioral1/files/0x00010000000103d4-253.dat	family_neshta
behavioral1/memory/2836-360-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2836-362-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Deletes itself 1 IoCs

pid	Process
1992	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2368	Logo1_.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe

Loads dropped DLL 64 IoCs

pid	Process
1992	cmd.exe
1992	cmd.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
2836	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	Logo1_.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTA\8.0\x86\VSTA_E~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	Logo1_.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Logo1_.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\READER~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~2.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SMARTT~1\SMARTT~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Logo1_.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File created	C:\Windows\Logo1_.exe	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2368	Logo1_.exe
2368	Logo1_.exe
2368	Logo1_.exe
2368	Logo1_.exe
2368	Logo1_.exe
2368	Logo1_.exe
2368	Logo1_.exe
2368	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1992	2408	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe	30
PID 2408 wrote to memory of 1992	2408	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe	30
PID 2408 wrote to memory of 1992	2408	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe	30
PID 2408 wrote to memory of 1992	2408	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe	30
PID 2408 wrote to memory of 2368	2408	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe	31
PID 2408 wrote to memory of 2368	2408	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe	31
PID 2408 wrote to memory of 2368	2408	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe	31
PID 2408 wrote to memory of 2368	2408	JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe	31
PID 2368 wrote to memory of 1204	2368	Logo1_.exe	21
PID 2368 wrote to memory of 1204	2368	Logo1_.exe	21
PID 1992 wrote to memory of 2836	1992	cmd.exe	33
PID 1992 wrote to memory of 2836	1992	cmd.exe	33
PID 1992 wrote to memory of 2836	1992	cmd.exe	33
PID 1992 wrote to memory of 2836	1992	cmd.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC024.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2836
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
877KB

MD5
ec64b3fb5d8d388fad8f1eb83546fbd8

SHA1
4b93c34a11d3b8a6abf446a7ba710561bf51056d

SHA256
a220efc3f265e5c7cb5f3eb6353d92009b00b623411ffae568a633e95b34540f

SHA512
798604abae68706ecfac0bbcf0690e478f126830456b71a55923749b4833f56e5e4c67084035ecb00af0ea82f9a9e06f0c736adf4f22643082a0f18a736e7d75

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
565KB

MD5
0bfc071861855116cdf134072612ed8a

SHA1
d075d210a90ca16c848c69525e150a88d47c5feb

SHA256
0ffc54b7e365a2fcf1aa676ef2dce50df1b3b959b9a09af6c12ecd26e80d0b27

SHA512
fe5e0637f2cb08ad0b50ceb4fed4018548bc619f1e66ea7c8fe60f6ae66ded8dee35b2dc4740d5fba9d1b2a63247ec0f0fdb8318ff74c677613bd60b2b08608c

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
204KB

MD5
5aa731dc46b5e5c901dfbab51eee782d

SHA1
031c50f62089178afa967a8d8f2df25e2677d3f8

SHA256
c8784a4b5d3ff10b289c9c8e6b961374ef08045421683d76afa0578bbca08e55

SHA512
b4c96dddc02b8723f264de3d29a985bcafcd13a9d121195fc2c81bb00f100b945df6c334fe2e80cb3f0982feb8f5aeba9915205b25b6231788d3fc271734ff4f

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
02bb1c2cb734947e09dbf679728153c2

SHA1
11672876d26679e0d0bf015e719368934ce0a92b

SHA256
85d3fe0d47e9891a4a2a15007c1685a46760a13e6c54ce8b331411abd77c2a4e

SHA512
ce9777fbb95f338ac44fb043a28776aab4c4ee83270dd2ffacd921bb7b9e7d8404b8becb933a7231723e47351d8c6213a118af1bc3214f3dabe9decb4d158cb2

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACRORD~1.EXE

Filesize
72KB

MD5
b8643f86209211cdb815ae6e389e6668

SHA1
3250e7a2b87ff50c9b55699737999017d265d9ae

SHA256
2ea8e9c88e2fa398b660b424ab8d3172acb2a7bb1ced96f2b7b1887c512abb0b

SHA512
a3592949532e7e0537c679846723f260091500de6b87eb69ee15cac12aa6bcb3291a8cc54056ab775b484145ec1df5ab1faa09e310a3c13e2a3b0ff2be570c36

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROTE~1.EXE

Filesize
83KB

MD5
047d485afd39200e17ff7a9ca8cc6e88

SHA1
5eeef14d31ec4089c7685f056d2fcb599ced27cd

SHA256
019ac30fecfd0dfa0ccb3fc6d822ad924c29feaea46cd42c61723499f4c5e402

SHA512
e1023797fdb4a0c4aae6f190769f750762a94363d2f3b7ec6302e3de9e458062ce2c226410e53a35a47bc2ccf7c56d9d0e09ee85fffcc73882649a334a952954

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
587KB

MD5
b49ad26cba9b9009d5f67d07dac2b897

SHA1
9590b3f3172eed64e8598afed96789071ea12e3b

SHA256
dc22c3c39d9915037e706bfc0d61e4822b3749621032f0080dfe06b9822e71be

SHA512
d9d845ab703b3afb063110f8e7af5ef5a472adf1ae989cf83626baa951d28da0577ac45c08cb3fcb9cf30fe04719ffcf4affd57a2fa2bf1daa5f3c71f456f54d

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
391KB

MD5
fdba9d89470d5083a20b34a09c0969d0

SHA1
7c958473036580d1ec9f0106e3b5c18846d41ccd

SHA256
541656d276e2c324b1fb14fd6ed46eb42458f6cb9fbad96fd3bcc1a45b8eaf2f

SHA512
9b6bf31d03ca60d00e305792b6431c276de06dbbc475dcb3f9465c653d297307d04190896d3a6910a3e45755f7e2df0d01bf3b4681810f6c5357c2a79127e4a0

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
118KB

MD5
da6bb9665cceaab0c4e51d1916551233

SHA1
0528c19485888a30d3658e97d6077bca75a7da42

SHA256
70157894f739564bdf4624a88c452ba08b947e11bcbae85838030cb213fc6141

SHA512
c683ee179975275ad213ca9109b5d9ce3485f3bbaaba7bbdc6f8565b15675836ce6fdaedce137401ce2cc1e3cdedbb356a45c5c75a8d571a79db024b5ee730d5

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~2.EXE

Filesize
93KB

MD5
cfe605bc8c5613b1bc3c1f7ca875e612

SHA1
ac7e94d5d62cb94cd033a2b7696ab0399f8de801

SHA256
eb33a59bf566b10540f3532c62347d923e7eb258ac33dde93489b7b7a886eef5

SHA512
d46cf58f75162d20ac4b4c3b54d4f5813d08d8ea45c03e863ab54c63f7c6d6e21debb8c841d829db7315f9f7003909c8626f5b181616ac7b384dd04c21ffebb5

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\AIRAPP~1.EXE

Filesize
90KB

MD5
3a20b81882d01009894424e30bc80268

SHA1
ca06348e8484e348d38194e46daa3446c1e6a63f

SHA256
9ed71c17c6b62d1109d853d817c0770f311a9dcab75c0a0a5c23051ce564dd23

SHA512
984ee251bf2510b8d2ebefed4c7f7e6ab3c72f91efec7038a72f5e552e4bb5ab784525f6cf9b267e616e64aa9653ad4798e2a245ecfd3dc72afef2da93e7be4d

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\template.exe

Filesize
64KB

MD5
f249c22663e6e3a95a107e45df68ebb1

SHA1
a266164eb85cf8509a26c2e7453156078da0c65e

SHA256
41a6938198ab7717090c9c11b1cdf76c02a4209e2bb1e96634d5a405e4bddd3b

SHA512
8067a132064be2205aa39947171d0c7a7d63a98ac898159e33f14bbd28cf7af1d6638f08e997c7d9e170ed04795dd48f3b13f0277d3aa50fb6a0e7fd30a4dd8d

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
2.5MB

MD5
25690a3b213174df3b3a4551fd59cd75

SHA1
6c07e918abb20e4a4ba8b2fb65000bb51a589965

SHA256
5ffd55a2f0b1ef5ac9d610353934edb62436e7ba3a66608605178ecb11d03d79

SHA512
2128c62ebe8a4ac6497b22672cb07f4363b8ffa39b05a3c1245da403f485298b8f9db69326d76502212ddc9a26039094d49b2a5dea192136f98e29caa5da4f06

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
589KB

MD5
3bbf0e9832eda89edc03f268cf2e3cfd

SHA1
5b4cba4cbf593407684494f7e380a7206ff56a92

SHA256
279fdec1ea2d1e6ae1d26ca44331eaa2bf6965296ea6fe72626f00e57601a410

SHA512
f70ec9e6e70f29e153a28b83ce187834d1c2b9fcf78b165a660f4f21bf61e7a8f7bc9c132a795ea166299ba0a3e579a53ba0b640d99978a50e947eb4a6edf7bf

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
175KB

MD5
0700655951aef81131d27e3fb5a57621

SHA1
1b46f84e816e842eef730dd9fb6644ab3c265f46

SHA256
317241c41c32f0b15a129cbe0c32960e889a2e7795a893625a7cbd851a0cd468

SHA512
45b94d6dc5fdfa34cc766d980110bce450815101dc9b8701b3b2631a3cae4f90b9b9b2f397e3a5eae7afdcb32e58d3afd2f35aab9fe24e4ddc15bad3dcc4d003

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
247KB

MD5
f1ad36de3f69b366fca6f3bae6152c78

SHA1
72e8cf1010155b5dde2d0a83bcb7a62ee3464e9b

SHA256
899d8d6c802aef5df7ba57ef0ab0a195f47f6b1a1418cb49f23d235715fdad16

SHA512
2ae46e6d33b5e2fd705efb30adcb96ffcbfb32ad0d30acba4477e4c60fa5977bbe396315bbdaaefc64edc1f4372e457a28e43d9b5da41ad16543110bbbbff793

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

Filesize
1.1MB

MD5
8d774606618c6aa0f83f344641cbd042

SHA1
430269fd464e65ba2b3a8f10c4e16adb73a7a601

SHA256
fd0963291b4870f5634581c99b77e6fcecf4c078e3e10f874062b80424fcda8b

SHA512
10bfbe5ef36aaf89af0095c87e421d62b69b55bae3db3d89845c29809ba9d9ffad1af5d4f82122eb2138af8131f72c82c2d70756abee27104a83ad83c0942fd2

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE~1\OSPPRE~1.EXE

Filesize
72KB

MD5
a8fb420f6efec6fd923ce1fa3c824771

SHA1
d564f18afdbcc678fd4ff00b601b8d5f34769bba

SHA256
2b302513a5e41f66dcb4cd38ef2f37b8bfcb5fdca5c25ebc6152b1f3ddeba22e

SHA512
6fbfad70a6a2ac72095b2cd333f5c6c43b08dc0662fa74a09eb37367201f8d91b724b43f089d3ab724c6d78c29dfbbad28e86dcc0d963e95855184c14505d6c5

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SMARTT~1\SMARTT~1.EXE

Filesize
72KB

MD5
596cb3aba41f84ce0b4685633c8a7b1b

SHA1
ee3ad1f181f0c564c5c329f24c723b3d1d8a8978

SHA256
96ddb78e2d9a923dc81e21456b8a52b71feabecacfa754e5120f6aa408e40ddf

SHA512
33bd7f9be9b365a8bac95406f37cb31fc479309f2f4095cd87e658eb6522cd60a9e87b70cc52c16c365e6c643aef18c4ffcfa9146cf241116e0f0c903348fbbb

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE

Filesize
244KB

MD5
fe24f4ba15e380154291682893a3ca10

SHA1
6101bd4e0d742ce16a1143abbb3a647ca2ac4f96

SHA256
6eff7211ef26adf186382a3859387e7ef61b1fc422fb55436e2907f03fc4f402

SHA512
7e79f671c10a2df420b58929c4948fb54ceaf9de8b162e0b66b61558ade3a19a7abd517bcacf29f92a9ee5ae145270f497f99dd2dcbe1f7cf4a0cb7da3c96b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC024.bat

Filesize
614B

MD5
42cde5f2172e8d5306a8c280316ca624

SHA1
7d4727e2e7b9d0d1d0f7751a6581d6c6d5f95c67

SHA256
25df192ca7350e421d150ed7b69f72c3e1fdae1f0dbaf9f2a5f5ed9fdbe1281e

SHA512
3bc2548abc155d1993109eba3594e663e7cef2ca12a629e8cd6e187f5201f3c454877c26346748b9519e714c1b794297af78418037b02cc09d2c5c1f95831014

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b94b826c85f65dc56bd8a15af66ee0ff.exe.exe

Filesize
401KB

MD5
0c7b87ecbf2e1bb217d37b4da476b593

SHA1
cd7a547a07eb0b314e30d0c4dc8a7d82b70c14b4

SHA256
9b7485230085a4e8136baf2dcfab2502d55d122826c027c1b15dc96865b1cfec

SHA512
07d8516c39670670d6d7cc7da4e8971fd107085975cb52fce7e14ae85f287317621d246bf9e49a987eb9cbcc24950a2f0a877628dcc6583db741c3d55158d7ba

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
40e65e3ec7edb93eedade3469d4ec59b

SHA1
cbf5862e3a44e4f6ae1cb46c2f5b574d5af3ec2f

SHA256
2ff5805f07ed1c9727f281db9cb1645a55ab9e3523104c83e114109197a4e8f3

SHA512
6ef2dcfd0d2627951c782296fd6f9b1e610d95001a87b67f345b9ccc3fac735b030c362702dab9795fdbeca167ec19b1d777183acf4c1aabb36e6378c781cf0e

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
155KB

MD5
e751d6ecc4d4db0aabc8a42754cd2b6b

SHA1
dcba141093cba9a50fdb156325c379eb4ede1afe

SHA256
5c7f51e0dc7b537ef3a57f02a0397dd34c4f1979f7a99afd1f452cb07289d647

SHA512
bd973e524940e4d8b6566c1b1b3ea518414139892747762840fa0f2a705c8aadbac68e7873efe9390a0b2cfa0f5bab5645e38876471f93fe42851bbcc74e3553

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\READER~1.EXE

Filesize
92KB

MD5
56698c98efa35cfbc1ee6ae5b047ae40

SHA1
b3719c3f652a1558ebfde6561f7b85043e8644d2

SHA256
c5b053af62b0b10f4c520135260323af8b890f3084fc2823083dfd0ae5c45e63

SHA512
7d0ab5906367277dfa4a590bc850c560a72a66892ddabd48e9461d6589e42ebf735d8414e24267d63133eb003c807d1a5fdfade9dc9d823c8ced6aac12f2bb65

Download Submit
\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
148KB

MD5
b98e40a9fe2cff5c7199c598cdbc8bfc

SHA1
dad86ef85c32d5c49f975f5fbb4ec92a90f240f9

SHA256
65d3ded56a01cb5687c2ece9d3dca5f953a92d3532bc778d03790e52b69bfcef

SHA512
dc5d6ceb40c3a2e69f0b9407356584427500d1ed6f4c1a20c0946c58e8f5d610aaf431232ee36dbc5f51a0708fe9c4fb03efa8719a2b265569876f422b72e080

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
521KB

MD5
b80064e4b283f5cac5be78b64ff9f4d8

SHA1
b54cfba82de47889dd21c8d7908e2f141c2dfcc8

SHA256
9aa1d971114f23d3050b8d9f1317c75d1ef14f694979f4dacc508dc01209de32

SHA512
b56276c426dae9f17af760c1a241b77ef62d23035f1ba52d84cdccad76621491ef1f56e46def67ef64984d0f539bb4e225ae897130d02483c02448f255effaa5

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
171KB

MD5
6483a4b24fe3f58fe06238ba050670ad

SHA1
bf3fd807bd3057410f3003070a41338901a73f17

SHA256
24e68c516ea0af9afcbd0e7c34cf1e2227100593f85001a5dc3c47497034c811

SHA512
883a00b7afb1ded7ee52654fc7af1df941f8dad9b0eda48f9d160332b82a6fa551f242bfd8dde955e108b1e2e9e2a29675a3e4d8ac2c5d899a4c61c101345a3e

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

Filesize
557KB

MD5
6d009c007f04a7c54ca9d9b63ea7334a

SHA1
a74255c4f41026d8dace87080abc891d7ef696a4

SHA256
3cf6b6c4ea9c2f842a754514608a81b5d948bbf5c563ce92bc49c718121abb0d

SHA512
3ebd635a2a781821d796f4d4141961ad799ea3530abd6ad9cddf2bfca52a4f736b5f39cc342f73b594b1bd40b2290bb5e7a7de88dee1128bf8ead7af2336c9bc

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
223KB

MD5
cba4ce8f42c113342686dc3e3caa466d

SHA1
468ebbc0380a524094726fcc682839778780431d

SHA256
16ac6b94524b23237cc9a34c3b84b08d7041a6fb72e8419c1e6e59a9a6b98d96

SHA512
7d67152898fb5860826dc3958a1c6143946dcc26a2ca83d0fba635b6810d6035b803f479d5ec2ca628fbc1778a8294180886fb635d74288f84dc55df7fb140d2

Download Submit
memory/1204-19-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2368-359-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2408-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2836-360-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2836-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download