neshta | b887255b8a0eb915181a8e773920adccf988808d0fa682aa7dfd1b36ea824f48

Analysis

max time kernel
359s
max time network
360s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
Size

2.7MB
MD5

fb0c0f6fbebfa06514f9be8d7f565d4f
SHA1

d655a3ccba664e0fb99503bd421d0f98e53d8eab
SHA256

06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177
SHA512

ffb9867bc1784a96cf348274ede557c0908ab96025f144a10c02fb3b9ce26bfbed1dd7ff2801934c122e53c161d32b907065a54a0849cf81c274660cb017ab91
SSDEEP

24576:+rrHVnPb6LLlhp9EHL/Sg0u1j0W/wqk6Tsp3DborU7oNO:2BnG+SNu1j0W/wqkFboQ7oNO

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010315-11.dat	family_neshta
behavioral1/memory/1080-91-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1080-93-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000700000001941b-94.dat	family_neshta
behavioral1/memory/1652-102-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 2 IoCs

pid	Process
2316	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
1652	svchost.com

Loads dropped DLL 7 IoCs

pid	Process
1080	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
1080	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2524	2316	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
304	chrome.exe
304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe
Token: SeShutdownPrivilege	304	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe
304	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2316	1080	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe	30
PID 1080 wrote to memory of 2316	1080	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe	30
PID 1080 wrote to memory of 2316	1080	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe	30
PID 1080 wrote to memory of 2316	1080	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe	30
PID 2316 wrote to memory of 2524	2316	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe	32
PID 2316 wrote to memory of 2524	2316	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe	32
PID 2316 wrote to memory of 2524	2316	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe	32
PID 2316 wrote to memory of 2524	2316	06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe	32
PID 1652 wrote to memory of 304	1652	svchost.com	34
PID 1652 wrote to memory of 304	1652	svchost.com	34
PID 1652 wrote to memory of 304	1652	svchost.com	34
PID 1652 wrote to memory of 304	1652	svchost.com	34
PID 304 wrote to memory of 1688	304	chrome.exe	35
PID 304 wrote to memory of 1688	304	chrome.exe	35
PID 304 wrote to memory of 1688	304	chrome.exe	35
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 2716	304	chrome.exe	37
PID 304 wrote to memory of 1472	304	chrome.exe	38
PID 304 wrote to memory of 1472	304	chrome.exe	38
PID 304 wrote to memory of 1472	304	chrome.exe	38
PID 304 wrote to memory of 1632	304	chrome.exe	39
PID 304 wrote to memory of 1632	304	chrome.exe	39
PID 304 wrote to memory of 1632	304	chrome.exe	39
PID 304 wrote to memory of 1632	304	chrome.exe	39
PID 304 wrote to memory of 1632	304	chrome.exe	39
PID 304 wrote to memory of 1632	304	chrome.exe	39
PID 304 wrote to memory of 1632	304	chrome.exe	39

C:\Users\Admin\AppData\Local\Temp\06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
"C:\Users\Admin\AppData\Local\Temp\06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\3582-490\06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 536
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2524

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652
- C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
  C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ee9758,0x7fef6ee9768,0x7fef6ee9778
    3⤵
    PID:1688
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1128,i,8725606444410759362,3609893979300251861,131072 /prefetch:2
    3⤵
    PID:2716
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 --field-trial-handle=1128,i,8725606444410759362,3609893979300251861,131072 /prefetch:8
    3⤵
    PID:1472
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1128,i,8725606444410759362,3609893979300251861,131072 /prefetch:8
    3⤵
    PID:1632
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2076 --field-trial-handle=1128,i,8725606444410759362,3609893979300251861,131072 /prefetch:1
    3⤵
    PID:600
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2084 --field-trial-handle=1128,i,8725606444410759362,3609893979300251861,131072 /prefetch:1
    3⤵
    PID:988
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1128,i,8725606444410759362,3609893979300251861,131072 /prefetch:2
    3⤵
    PID:2240
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1512 --field-trial-handle=1128,i,8725606444410759362,3609893979300251861,131072 /prefetch:1
    3⤵
    PID:2184
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1128,i,8725606444410759362,3609893979300251861,131072 /prefetch:8
    3⤵
    PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4bf62ea2-cba9-4e3c-a511-b2cd07af5390.tmp

Filesize
353KB

MD5
cae54501c31d5691d5f40066af87dfc6

SHA1
36da980c2315f3db67106eaaf6b70db127da60b7

SHA256
b83dfc53082c54cb14d564997322ff10e6cfda00593ff79ac3495c973ad71ed8

SHA512
dd804d6d821bf282cab6a8ec78c4af89d472d6362e06fa87e148dcc3a7f88be913f6297c9fe3a5ec7a855fdb9c923abd7bc6e861d96f8d9085166527488e1b7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ebaa6de629455ce552b569313041c41f

SHA1
0aeb727b29a020205554541c32f910a2f620507b

SHA256
e2f68fb9ff9822e172391464b9f12eb99ada73d665e65cb8b7a739af41695aca

SHA512
56ec4f6625c02704ab8a81bf116c605e3cda0ca53dcc1587077dfb7ccd1c92b585c725219d705d4cd0ff1886c94525a7df45fd254cc3aac290c630ea5dfb5952

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
63078e7b9032342624c9fe27e7a1230e

SHA1
2ab80e0d99b8c61327068c158e6d51c10127a738

SHA256
6f3ad6ea947272dc7f35b35d6350fde43c9956f4b853e899516d3478434affec

SHA512
502638a31db0ba4143c3322e165359360d4a5fa3c00d927c0fec64462d2f807a3ed8104c0e5e8cbeda4e96064782571fccf1c4233d266e34661ac093a9743da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
353KB

MD5
d47727b44e1c4fc9261f29728abab01f

SHA1
245418c332f37d742d1ae6de72ef1e6c5b46e0cb

SHA256
2c7b054db7a05e8bc3cf09adc50774ce8abf7a4a1749a79370fceded4eb23eea

SHA512
15328cef023e84fdc81d50e1c12d23937be609c8815fc015583d77f907e5899457ae45e4067cda4e4bef066718eecef8f9520a886cbe0b7a086423fce772bc72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
0f4bfb4ff7b21cc7016c627dd0002f5d

SHA1
526a73702ec0ba45763b15cf6326997c42fb69c2

SHA256
a144a2e3317783774eb54fd623024e7485b0ce78dab8c5ea6c5be6d067faa137

SHA512
9920aa98fb077f9737ba828260a64279446601cd1bf776c6e889c609069e1c66916767cfe2d911e0061111ac3b4e0c4a6b26834c5015f8562fe064396e342748

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
9e78db752a70ea04d8f3aad3b8d73a7b

SHA1
1329579c46be47be373069fd06a80421783b0c36

SHA256
b309d41e3ee8644008aab468ed9f8263e725daa430c27837e3cad0dc91c07ae5

SHA512
8dcb4a343f3a8b1255a8722a9ee6b6d119f365dfdae597b1c709ea613a534f3ea74ae2928d41a721147837ab2080b6ea3996e44c371ee3bbf2d08ef3c83bec83

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\06a997dc876b7d8161cb9a4e858f0f7049c5296e17c797f6f41e853f5449a177.exe

Filesize
2.7MB

MD5
d746706ce66642fdae025e48cb49b84b

SHA1
59dac75738ebd5068cbd68e758f21ba5ee2be44b

SHA256
6bd65092268061380b92356fc1db54157bb48a158059657796a3f27c503b46cf

SHA512
7e4df7442a6616a0a5d97c5b404e54c5ea743c4b3ab817d3d1f6ad70f48615707de63c5f3475f717500d71f7d5b033dc6a5a82b8279d558049d4bcace58bb7a2

Download Submit
memory/1080-93-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1080-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1652-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-13-0x0000000000FF0000-0x000000000129C000-memory.dmp

Filesize
2.7MB

Download
memory/2316-12-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/2716-135-0x0000000077890000-0x0000000077891000-memory.dmp

Filesize
4KB

Download
memory/2716-103-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download