Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2025, 22:39
Behavioral task
behavioral1
Sample
vaultFile17014791945718416581.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
vaultFile17014791945718416581.exe
Resource
win10v2004-20241007-en
General
-
Target
vaultFile17014791945718416581.exe
-
Size
129KB
-
MD5
af5814f78ef77f83f9ead1caf5ada012
-
SHA1
b9fe65dd240558a1d39b21a0d5f3b48345263eb4
-
SHA256
354622421a1966755dd59eff4145c8a7f1b6ed9cba2ca87f186e85f4e272b89f
-
SHA512
287afdb13169a5807d7248ca0db117c7364beb5e8daaa98abdcb81ff12c59a7c9e04dad52dfd695b2cac303894de958f1363200c505e0491a564eba3dcd16f65
-
SSDEEP
1536:JxqjQ+P04wsmJCsPKxG7QeLuk/3hIFmNjEX/QSjv+T:sr85CsSxG7hukqCAX/QSjve
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
resource yara_rule behavioral2/files/0x0006000000020228-17.dat family_neshta behavioral2/memory/5048-97-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5048-98-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5048-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation vaultFile17014791945718416581.exe -
Executes dropped EXE 1 IoCs
pid Process 1208 vaultFile17014791945718416581.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vaultFile17014791945718416581.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe vaultFile17014791945718416581.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe vaultFile17014791945718416581.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com vaultFile17014791945718416581.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vaultFile17014791945718416581.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vaultFile17014791945718416581.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vaultFile17014791945718416581.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode\ = "{85131630-480C-11D2-B1F9-00C04F86C324}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode\ = "{85131631-480C-11D2-B1F9-00C04F86C324}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode\ = "{0CF774D0-F077-11D1-B1BC-00C04F86C324}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asp regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.js regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder\ = "Script Encoder Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{420B2830-E718-11CF-893D-00A0C9054228}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.htm regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ASPFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cdx regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile regsvr32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1208 vaultFile17014791945718416581.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5048 wrote to memory of 1208 5048 vaultFile17014791945718416581.exe 83 PID 5048 wrote to memory of 1208 5048 vaultFile17014791945718416581.exe 83 PID 5048 wrote to memory of 1208 5048 vaultFile17014791945718416581.exe 83 PID 1208 wrote to memory of 2700 1208 vaultFile17014791945718416581.exe 84 PID 1208 wrote to memory of 2700 1208 vaultFile17014791945718416581.exe 84 PID 1208 wrote to memory of 2700 1208 vaultFile17014791945718416581.exe 84 PID 1208 wrote to memory of 1044 1208 vaultFile17014791945718416581.exe 85 PID 1208 wrote to memory of 1044 1208 vaultFile17014791945718416581.exe 85 PID 1208 wrote to memory of 1044 1208 vaultFile17014791945718416581.exe 85 PID 1208 wrote to memory of 4408 1208 vaultFile17014791945718416581.exe 86 PID 1208 wrote to memory of 4408 1208 vaultFile17014791945718416581.exe 86 PID 1208 wrote to memory of 4408 1208 vaultFile17014791945718416581.exe 86 PID 1208 wrote to memory of 4808 1208 vaultFile17014791945718416581.exe 87 PID 1208 wrote to memory of 4808 1208 vaultFile17014791945718416581.exe 87 PID 1208 wrote to memory of 4808 1208 vaultFile17014791945718416581.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\vaultFile17014791945718416581.exe"C:\Users\Admin\AppData\Local\Temp\vaultFile17014791945718416581.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vaultFile17014791945718416581.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vaultFile17014791945718416581.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\Windows\System32\scrrun.dll3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\Windows\System32\msxml2.dll3⤵
- System Location Discovery: System Language Discovery
PID:1044
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\Windows\System32\msxml3.dll3⤵
- System Location Discovery: System Language Discovery
PID:4408
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s C:\Windows\System32\msxml4.dll3⤵
- System Location Discovery: System Language Discovery
PID:4808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
88KB
MD599f482ca3544aa262ea62e3e15fb2ac6
SHA1287248aeeddc09dbbff13c54fca4a8cb636caf43
SHA256309e066199b135d07e49120ae452171fd1e3b9dfe069ae1d63ab08f8b4d175da
SHA512ee67ba85dcf5c5b99b8ce74da8fe0ffaff2ec459adcfb4a597b20422e1af3f39fad2ac4637199b1e5a031083a54cf2535077944b113b45c1b3de4b3f4cec0097