neshta | ea7933f59d7a4ebe420c5c80cabea3ca183cd040f3d047360bdb0b71c2921844

Analysis

max time kernel
93s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-01-2025 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

officedeploymenttool_11509-33604.exe
Size

2.8MB
MD5

b4bf5401ac999a46a265c92d5606a27c
SHA1

18f917aac8f5380d280a25d0abfbd8207bc1ee96
SHA256

ea7933f59d7a4ebe420c5c80cabea3ca183cd040f3d047360bdb0b71c2921844
SHA512

fe3c40f237c669849641f0cf1d49d627bdab7b7399369900a49711d8036e080769da95a96f012b07f01731d536894982b2efa1d3620eb9cd08ab9c54cb35346d
SSDEEP

49152:LpIsZSxQ0O+cAtWreLVZlZSiju16pGUbETEUNuTxgpXWFBhRvCKPFyAQ:LudTNcDGXuYVEQUk2+1C+FyAQ

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0007000000027821-17.dat	family_neshta
behavioral1/files/0x0001000000029ecb-119.dat	family_neshta
behavioral1/memory/2912-124-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2912-126-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2912-128-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x001a00000002aab5-130.dat	family_neshta
behavioral1/memory/1572-137-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2168-156-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/4388-166-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2436-184-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 9 IoCs

pid	Process
4972	officedeploymenttool_11509-33604.exe
1572	svchost.com
4760	setup.exe
2168	svchost.com
3512	setup.exe
4388	svchost.com
1688	setup.exe
2436	svchost.com
1112	setup.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	officedeploymenttool_11509-33604.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	officedeploymenttool_11509-33604.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	officedeploymenttool_11509-33604.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	officedeploymenttool_11509-33604.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	officedeploymenttool_11509-33604.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	officedeploymenttool_11509-33604.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setup.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	setup.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	officedeploymenttool_11509-33604.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	officedeploymenttool_11509-33604.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	officedeploymenttool_11509-33604.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4760	setup.exe
3512	setup.exe
1688	setup.exe
1112	setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4972	2912	officedeploymenttool_11509-33604.exe	77
PID 2912 wrote to memory of 4972	2912	officedeploymenttool_11509-33604.exe	77
PID 2912 wrote to memory of 4972	2912	officedeploymenttool_11509-33604.exe	77
PID 1572 wrote to memory of 4760	1572	svchost.com	83
PID 1572 wrote to memory of 4760	1572	svchost.com	83
PID 1572 wrote to memory of 4760	1572	svchost.com	83
PID 2168 wrote to memory of 3512	2168	svchost.com	87
PID 2168 wrote to memory of 3512	2168	svchost.com	87
PID 2168 wrote to memory of 3512	2168	svchost.com	87
PID 4388 wrote to memory of 1688	4388	svchost.com	90
PID 4388 wrote to memory of 1688	4388	svchost.com	90
PID 4388 wrote to memory of 1688	4388	svchost.com	90
PID 2436 wrote to memory of 1112	2436	svchost.com	93
PID 2436 wrote to memory of 1112	2436	svchost.com	93
PID 2436 wrote to memory of 1112	2436	svchost.com	93

C:\Users\Admin\AppData\Local\Temp\officedeploymenttool_11509-33604.exe
"C:\Users\Admin\AppData\Local\Temp\officedeploymenttool_11509-33604.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\3582-490\officedeploymenttool_11509-33604.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\officedeploymenttool_11509-33604.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1620

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\setup.exe
  C:\Users\Admin\setup.exe
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:4760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\setup.exe
  C:\Users\Admin\setup.exe
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:3512

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\setup.exe
  C:\Users\Admin\setup.exe
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:1688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\setup.exe
  C:\Users\Admin\setup.exe
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\setup.exe_Rules.xml

Filesize
362KB

MD5
b0cf4d4211af8f0b07acf093873de57c

SHA1
eda7231eb3cdaebb177474c01e5fff32578f9bb3

SHA256
4ab410ceb7b0b085d9097a17cbc56ada1c3760a534f7c95a0e016e81c8cb4bac

SHA512
3cb103a1ce7c05efb458b5e0ea8504307b63a0fb48e25125fe2ef29538d73692e2f8ba6d16571fdba7f9afd044feff823ec91d2f8ab338cfdb002094a0e25566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Filesize
1.6MB

MD5
3a3a71a5df2d162555fcda9bc0993d74

SHA1
95c7400f85325eba9b0a92abd80ea64b76917a1a

SHA256
0a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8

SHA512
9ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\officedeploymenttool_11509-33604.exe

Filesize
2.7MB

MD5
224301a7acd031d508619e40a1b92775

SHA1
8b3b09172e3d01ea8205abb14772d8e6aa36bdfa

SHA256
450f28e924cfe1931883ee7de2ea7252d0e03b770742258d4d9ced43718c3897

SHA512
98593d16c23918d68d994cc179627da06ac0b3f33d3d4b1f6965160c86a7ea0de68d0de850cf94181b7a3737eb6233c5230ccb35254fc45171c894482fcc6809

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
698f2d72057bb4fec5a884793edf2fc0

SHA1
052f17b9812911ff086c78f6e09b9cc578c0a056

SHA256
9903df9ea283d9834ab2d5050acdbf02336119ecf7038d04035a0416de9d5410

SHA512
e0669fc702ce22d3ddc1f33f3c9154a4e511bb94604e8a51cea5dec25d7cdbf9c5c68b9b884c3bad83da3f5e2bffa31111a635247d86ca495fa0b87d686eb15e

Download Submit
C:\Users\Admin\setup.exe

Filesize
5.1MB

MD5
77386ead6f9d2bcbaa9aa0517c3e65a5

SHA1
2b8af13fc4dc48f70f66e04abf5b25d74ffce15a

SHA256
91e00cda173a891cad35a45420ad7dd5557076e61ebf4444874dec541093009a

SHA512
324b5d1e652a2fba65cf5e62c4b8d7669206143849dacd639fec9871c8c1106b816b436d5517064d4ffc6aef97dbd2ad9e8493d16e513f04bf190e27230e98b8

Download Submit
C:\Windows\directx.sys

Filesize
26B

MD5
09e047b9e64c494830429d91b45d14d3

SHA1
16f7645748f87dcdf34f8b421e8f52ce6848f322

SHA256
a3711c8f5e1328003f806a8854defe07806a3471a51f6ac81fb023a031b7b139

SHA512
177f07ceac69d65bc51255391ee57fbf132be5cf54c2effd2646b73dfcc7f2dcc68882fb029761951fa3ebf8829113b0e9256bce9bb90796188585f009c7b2d3

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
55c7565bd1c02cbd56074d925acbf021

SHA1
35ff6d345b849a501d6afa6bc63aee1b765cfd4d

SHA256
e1f0ef2922d3e2b1a3205560b4fe40a2f1d97a894badb669625d675ea3ce22a4

SHA512
e20af4b363d180f03320501c06b03845e9dfd6b8037e5bc5b3430362543662e5e0a2f13fc277c3973d1d1326ea56959b95cb45685596486bf69d9d0fda951390

Download Submit
memory/1572-137-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2168-156-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2436-184-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-124-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4388-166-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads