Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-01-2025 23:42
Behavioral task
behavioral1
Sample
4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
Resource
win7-20240903-en
windows7-x64
27 signatures
150 seconds
General
-
Target
4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
-
Size
418KB
-
MD5
58eb136fdbe15037179b44f133723c33
-
SHA1
c83e920a5b0a1f684c265208d0195829e36dfe79
-
SHA256
4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9
-
SHA512
c4f76809365c7df3ef8e13a2caa799906847d88f8e4cee8b034e77f193e2e9f9f28fd03035e11f940ab340cfd9e40019f5875ccb3543a454289d0002d29ff0ed
-
SSDEEP
3072:Lr8zCz/U1KZvMivW+0g/W+fFHScL9/zRFuvxEJwDijpS4DbYc4:H/fvMA0+WEFycLhzevxEJF8
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Detect Neshta payload 5 IoCs
resource yara_rule behavioral1/memory/1316-0-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral1/files/0x0008000000016edb-6.dat family_neshta behavioral1/memory/1316-150-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral1/memory/1316-174-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta behavioral1/memory/1316-251-0x0000000000400000-0x000000000042D000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
pid Process 2140 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 1536 Un_A.exe -
Loads dropped DLL 7 IoCs
pid Process 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 2140 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 1536 Un_A.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
resource yara_rule behavioral1/memory/1316-13-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-19-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-12-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-17-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-18-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-23-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-20-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-16-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-15-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-14-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-11-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-49-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-60-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-68-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-67-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-109-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-115-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-132-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-166-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-168-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-167-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-172-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-173-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-192-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-193-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-196-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx behavioral1/memory/1316-252-0x0000000001DF0000-0x0000000002E7E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe File opened for modification C:\Windows\svchost.com 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Un_A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
NSIS installer 3 IoCs
resource yara_rule behavioral1/files/0x0008000000016edb-6.dat nsis_installer_2 behavioral1/files/0x0007000000017400-43.dat nsis_installer_1 behavioral1/files/0x0007000000017400-43.dat nsis_installer_2 -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1536 Un_A.exe 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe Token: SeDebugPrivilege 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1316 wrote to memory of 2140 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 30 PID 1316 wrote to memory of 2140 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 30 PID 1316 wrote to memory of 2140 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 30 PID 1316 wrote to memory of 2140 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 30 PID 1316 wrote to memory of 1108 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 19 PID 1316 wrote to memory of 1164 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 20 PID 1316 wrote to memory of 1204 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 21 PID 1316 wrote to memory of 1620 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 25 PID 2140 wrote to memory of 1536 2140 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 31 PID 2140 wrote to memory of 1536 2140 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 31 PID 2140 wrote to memory of 1536 2140 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 31 PID 2140 wrote to memory of 1536 2140 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 31 PID 1536 wrote to memory of 2832 1536 Un_A.exe 32 PID 1536 wrote to memory of 2832 1536 Un_A.exe 32 PID 1536 wrote to memory of 2832 1536 Un_A.exe 32 PID 1536 wrote to memory of 2832 1536 Un_A.exe 32 PID 1536 wrote to memory of 2040 1536 Un_A.exe 34 PID 1536 wrote to memory of 2040 1536 Un_A.exe 34 PID 1536 wrote to memory of 2040 1536 Un_A.exe 34 PID 1536 wrote to memory of 2040 1536 Un_A.exe 34 PID 1536 wrote to memory of 1908 1536 Un_A.exe 36 PID 1536 wrote to memory of 1908 1536 Un_A.exe 36 PID 1536 wrote to memory of 1908 1536 Un_A.exe 36 PID 1536 wrote to memory of 1908 1536 Un_A.exe 36 PID 1316 wrote to memory of 1108 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 19 PID 1316 wrote to memory of 1164 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 20 PID 1316 wrote to memory of 1204 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 21 PID 1316 wrote to memory of 1620 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 25 PID 1316 wrote to memory of 1108 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 19 PID 1316 wrote to memory of 1164 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 20 PID 1316 wrote to memory of 1204 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 21 PID 1316 wrote to memory of 1620 1316 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe"C:\Users\Admin\AppData\Local\Temp\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\3582-490\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\3582-490\4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /delete /tn "UsbFix Boot Scan" /f5⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /delete /tn "UsbFix Start" /f5⤵
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /delete /tn "UsbFix Monitor" /f5⤵
- System Location Discovery: System Language Discovery
PID:1908
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1620
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F76EED2_Rar\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
Filesize346KB
MD5f2c47304fd5347c1274418796da953c0
SHA18a76e411b32c094a03e8a1462cdd522fd2133846
SHA2565c7eca3fd4a4a610aa29a0ab31ee97eeff640875383e048f7950a2aa13702681
SHA5123684923989bc750cb0c09f3b18f8b9ad3ef0cf263fdbc8abcb5ac44ead73b4588de5fb06749dadb7a22d10c07fce74fbca1c8cb5ceaaa7f98e27f98f54423453
-
C:\Users\Admin\AppData\Local\Temp\3582-490\4c51625ed9f10ee2566f7572ef34d83b5c7a9f496aff19ac42ae9ba60aaa26d9.exe
Filesize305KB
MD503d79a2f4369678343f8f99afa39dc5f
SHA107154dbea3dde2c3c924cf91c87bf984b5f3d654
SHA25627158949ee4a1d8149648258f8ec57d906c21ec07d5cdf1d011b4407f0d0eb85
SHA51293d80fb5046e9836b8c62985cb2594df95a2d76a0c0b9568675cc2ffae800c3644edc8cb4bc04b204309551683d01e64cbf52cd4136ff624b0b61717ad58bfb1
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
6KB
MD5b38561661a7164e3bbb04edc3718fe89
SHA1f13c873c8db121ba21244b1e9a457204360d543f
SHA256c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9
SHA512fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced
-
Filesize
4KB
MD5faa7f034b38e729a983965c04cc70fc1
SHA1df8bda55b498976ea47d25d8a77539b049dab55e
SHA256579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA5127868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf