Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-01-2025 03:15
Behavioral task
behavioral1
Sample
80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
Resource
win7-20240903-en
General
-
Target
80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
-
Size
2.5MB
-
MD5
7d34fda9c89105cfd5c99260061b0642
-
SHA1
b0249486724a6777cec133bb3818900378fec31c
-
SHA256
80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060
-
SHA512
574aca7696402594c44180f24352b7ce5258a58879ac7a795bac0f4a5c3b73f15fcba7f6b04c7119b15107dffec076ab25dfc95d3630e1c7e5301c492667b7b1
-
SSDEEP
49152:crenjNJBfl7UGDxNug/EQ85aaKAdtl0Wf+:0eD7XV+9asT+
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Detect Neshta payload 5 IoCs
resource yara_rule behavioral1/memory/1932-0-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral1/files/0x000800000001739c-6.dat family_neshta behavioral1/memory/1932-90-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral1/memory/1932-147-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta behavioral1/memory/1932-224-0x0000000000400000-0x000000000042E000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2712 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Loads dropped DLL 2 IoCs
pid Process 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
resource yara_rule behavioral1/memory/1932-18-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-10-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-13-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-17-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-16-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-14-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-11-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-15-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-12-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-45-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-46-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-49-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-51-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-58-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-60-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-88-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-118-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-127-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-128-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-140-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-145-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-149-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-166-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-167-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-170-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/1932-225-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe File opened for modification C:\Windows\svchost.com 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe Token: SeDebugPrivilege 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1932 wrote to memory of 1116 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 19 PID 1932 wrote to memory of 1168 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 20 PID 1932 wrote to memory of 1224 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 21 PID 1932 wrote to memory of 1336 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 23 PID 1932 wrote to memory of 2712 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 31 PID 1932 wrote to memory of 2712 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 31 PID 1932 wrote to memory of 2712 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 31 PID 1932 wrote to memory of 2712 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 31 PID 1932 wrote to memory of 1116 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 19 PID 1932 wrote to memory of 1168 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 20 PID 1932 wrote to memory of 1224 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 21 PID 1932 wrote to memory of 1336 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 23 PID 1932 wrote to memory of 1116 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 19 PID 1932 wrote to memory of 1168 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 20 PID 1932 wrote to memory of 1224 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 21 PID 1932 wrote to memory of 1336 1932 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe"C:\Users\Admin\AppData\Local\Temp\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe"3⤵
- Executes dropped EXE
PID:2712
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1336
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0F76E1B8_Rar\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
Filesize2.4MB
MD538de3be9b742e3cf956a38368ef47971
SHA148b59b6940cd7c8be80377677d0a882e3cb80a5c
SHA25629b2dbc59ee8e6960353e5f5b405df41d8f617d71fd134136b340c1636276faf
SHA512b5c535a738989a0b52e81b6233e6ffea3559a2b4859d26c33adf212ff64408ef19603986421d44ef8a2f5553437c9799509988fd0d7d21e3a57941487cc18f9b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\80e642dd7e4230a29731756515022aa2c5ec2324d0205fd6eb0d86b96a08f060.exe
Filesize2.3MB
MD5108b16788e195e9f7b6cbabda9204068
SHA1d1118f08a1eddf94b80ad07e37c869522d2d56d0
SHA2569f8fabe5f9904c8a6952cb0977a0c192e6ff30a795f69c8bd5d976658729e338
SHA512b14cc268c7538e1bc50e1d830eba8fd09f14ef3185a6cc0b56af3ed8b2d3f465517cef3075c0a9c576c61ed6e59b8aa408e741d620cd0fdd62b85108213eedef
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156