modiloader | 68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
02-07-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Size

821KB
MD5

2f6f4f9674c6721b5ea8319ed90a8f20
SHA1

154e852c206379e4a6a02d4981f2c4d8be1319c5
SHA256

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
SHA512

3240e8f0321f2afcca7485a4a3658c88518145c803a445361302f64e2f5e24078f1f2633d8e4d2850b0e987f782510dcd14e201d981e542e83f7475025adea9d
SSDEEP

12288:UpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9j9DXMS9:QJ39LyjbJkQFMhmC+6GD9j1n9

Score

10^/10

modiloader neshta persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

ModiLoader Second Stage 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	modiloader_stage2
behavioral2/memory/2068-114-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral2/memory/2396-172-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/2208-186-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/4920-310-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral2/memory/1392-312-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral2/memory/4920-352-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2

Executes dropped EXE 6 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exeSynaptics.exesvchost.comAdobeART.exe._cache_Synaptics.exe

pid	process
2068	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
2396	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
4920	Synaptics.exe
2224	svchost.com
1392	AdobeART.exe
2208	._cache_Synaptics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

._cache_Synaptics.exe68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exeAdobeART.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	AdobeART.exe

Drops file in Program Files directory 64 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

Drops file in Windows directory 3 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 5 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exeSynaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3508 EXCEL.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid process

3508 EXCEL.EXE
3508 EXCEL.EXE
3508 EXCEL.EXE
3508 EXCEL.EXE
3508 EXCEL.EXE
3508 EXCEL.EXE

pid	process
3508	EXCEL.EXE

pid	process
3508	EXCEL.EXE
3508	EXCEL.EXE
3508	EXCEL.EXE
3508	EXCEL.EXE
3508	EXCEL.EXE
3508	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	process	target process
PID 3432 wrote to memory of 2068	3432	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 3432 wrote to memory of 2068	3432	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 3432 wrote to memory of 2068	3432	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 2068 wrote to memory of 2396	2068	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 2068 wrote to memory of 2396	2068	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 2068 wrote to memory of 2396	2068	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 2068 wrote to memory of 4920	2068	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	Synaptics.exe
PID 2068 wrote to memory of 4920	2068	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	Synaptics.exe
PID 2068 wrote to memory of 4920	2068	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	Synaptics.exe
PID 2396 wrote to memory of 2224	2396	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	svchost.com
PID 2396 wrote to memory of 2224	2396	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	svchost.com
PID 2396 wrote to memory of 2224	2396	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	svchost.com
PID 2224 wrote to memory of 1392	2224	svchost.com	AdobeART.exe
PID 2224 wrote to memory of 1392	2224	svchost.com	AdobeART.exe
PID 2224 wrote to memory of 1392	2224	svchost.com	AdobeART.exe
PID 4920 wrote to memory of 2208	4920	Synaptics.exe	._cache_Synaptics.exe
PID 4920 wrote to memory of 2208	4920	Synaptics.exe	._cache_Synaptics.exe
PID 4920 wrote to memory of 2208	4920	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
"C:\Users\Admin\AppData\Local\Temp\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\3582-490\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Roaming\AdobeART.exe
C:\Users\Admin\AppData\Roaming\AdobeART.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1392

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2208

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
Filesize
9.4MB

MD5
124147ede15f97b47224628152110ce2

SHA1
4530fee9b1199777693073414b82420a7c88a042

SHA256
3e815d583236b9cecd912fcc949a301d1e51b609cbb53a2285d08feea305edcd

SHA512
f4c2825380d1bb9ca889d5c5684f13aa0cacb0d6511f6409ca0972a7191195a0175e00c995407848bf09ea03cff05c7395952bf2ffd2af2015b8939f75a8e627

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Filesize
36KB

MD5
0fd492912e95d20941f96a49d493da9c

SHA1
3336bf0f29bde762b36b876488ddf3c562174462

SHA256
81d622108a3bd126a2ac9f101dcb37bc160141585e3f9e1e1ab7905ee6bc5e07

SHA512
831cd4319d607c5b030503ccde7f3fabc38d74c73b38228557495c3c611ae482e73a43f6c94267beb84b41b3b0e5c4f0a0f5202c6e59744657bff48de33d4745

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Filesize
781KB

MD5
a8a7c72473da536ed5af5168b890ef51

SHA1
9f7793ca3ef966284c9621bcfb1b6b98cdf4f8dd

SHA256
78175d8bac0c2a60dcd011b294e4b3127677e134a3a60c154f509b6021ab1244

SHA512
0501058922d22b251a4ae9d59bb321bbf446632f1e633d4ebb478ce42b3d9e9513644884d73342356cbc61089084780616e770d964e95143729e1b11f5865cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
Filesize
8B

MD5
787b96a56c631860d9e584145e404ea7

SHA1
5943487a2858b6771e7868dc948d4acc1279b670

SHA256
d8be801bbfa4e507631c46b07e738f352d690976ebc8566b4f545d18a9092eb7

SHA512
703a5cc02546719da54164ae3fb17c26fa99c56c6e094aace68b813b90aa7d4be9f1a7d3b555e150c562396424dd358f095d44b3a28aeec573fa608ade9aa6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh2sxg8C.xlsm
Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f7a0b431d559f3b49ca6e69ec1df344f

SHA1
716acdcc834ad512e175f2b87ec87409bd66cd92

SHA256
16e3fb784a474ccd787e669c3117baec169cd5d3e5e53acf6540889539b8abee

SHA512
7704ddfa53cfa078771c35acee7549d545a49b5d16d3952312e3baf5bbb69c9c4614560e5cac621fd70cb982a6b3c12829653a73b3f7d31a7ad9e30e25f76eec

Download Submit
memory/1392-312-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2068-13-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2068-114-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2208-186-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2224-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2224-325-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-172-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3432-309-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3432-317-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3508-300-0x00007FFF3EEF0000-0x00007FFF3EF00000-memory.dmp

Filesize
64KB

Download
memory/3508-296-0x00007FFF41110000-0x00007FFF41120000-memory.dmp

Filesize
64KB

Download
memory/3508-297-0x00007FFF41110000-0x00007FFF41120000-memory.dmp

Filesize
64KB

Download
memory/3508-294-0x00007FFF41110000-0x00007FFF41120000-memory.dmp

Filesize
64KB

Download
memory/3508-299-0x00007FFF3EEF0000-0x00007FFF3EF00000-memory.dmp

Filesize
64KB

Download
memory/3508-295-0x00007FFF41110000-0x00007FFF41120000-memory.dmp

Filesize
64KB

Download
memory/3508-298-0x00007FFF41110000-0x00007FFF41120000-memory.dmp

Filesize
64KB

Download
memory/4920-310-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4920-352-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download