modiloader | 68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Size

821KB
MD5

2f6f4f9674c6721b5ea8319ed90a8f20
SHA1

154e852c206379e4a6a02d4981f2c4d8be1319c5
SHA256

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f
SHA512

3240e8f0321f2afcca7485a4a3658c88518145c803a445361302f64e2f5e24078f1f2633d8e4d2850b0e987f782510dcd14e201d981e542e83f7475025adea9d
SSDEEP

12288:UpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9j9DXMS9:QJ39LyjbJkQFMhmC+6GD9j1n9

Score

10^/10

modiloader neshta persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

ModiLoader Second Stage 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	modiloader_stage2
behavioral1/memory/1748-47-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2580-52-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/2964-72-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-148-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2600-150-0x0000000000400000-0x0000000000411000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-165-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2
behavioral1/memory/2692-195-0x0000000000400000-0x00000000004C9000-memory.dmp	modiloader_stage2

Executes dropped EXE 6 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exeSynaptics.exesvchost.comAdobeART.exe._cache_Synaptics.exe

pid	process
1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
2580	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
2692	Synaptics.exe
2428	svchost.com
2600	AdobeART.exe
2964	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exesvchost.comSynaptics.exe

pid	process
2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
2428	svchost.com
2428	svchost.com
2692	Synaptics.exe
2692	Synaptics.exe
2692	Synaptics.exe
2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exeAdobeART.exe._cache_Synaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	AdobeART.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe"	._cache_Synaptics.exe

Drops file in Program Files directory 64 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

Drops file in Windows directory 3 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exesvchost.comSynaptics.exe

description	pid	process	target process
PID 2176 wrote to memory of 1748	2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 2176 wrote to memory of 1748	2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 2176 wrote to memory of 1748	2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 2176 wrote to memory of 1748	2176	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 1748 wrote to memory of 2580	1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 1748 wrote to memory of 2580	1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 1748 wrote to memory of 2580	1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 1748 wrote to memory of 2580	1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
PID 1748 wrote to memory of 2692	1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	Synaptics.exe
PID 1748 wrote to memory of 2692	1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	Synaptics.exe
PID 1748 wrote to memory of 2692	1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	Synaptics.exe
PID 1748 wrote to memory of 2692	1748	68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	Synaptics.exe
PID 2580 wrote to memory of 2428	2580	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	svchost.com
PID 2580 wrote to memory of 2428	2580	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	svchost.com
PID 2580 wrote to memory of 2428	2580	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	svchost.com
PID 2580 wrote to memory of 2428	2580	._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe	svchost.com
PID 2428 wrote to memory of 2600	2428	svchost.com	AdobeART.exe
PID 2428 wrote to memory of 2600	2428	svchost.com	AdobeART.exe
PID 2428 wrote to memory of 2600	2428	svchost.com	AdobeART.exe
PID 2428 wrote to memory of 2600	2428	svchost.com	AdobeART.exe
PID 2692 wrote to memory of 2964	2692	Synaptics.exe	._cache_Synaptics.exe
PID 2692 wrote to memory of 2964	2692	Synaptics.exe	._cache_Synaptics.exe
PID 2692 wrote to memory of 2964	2692	Synaptics.exe	._cache_Synaptics.exe
PID 2692 wrote to memory of 2964	2692	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
"C:\Users\Admin\AppData\Local\Temp\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\3582-490\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Roaming\AdobeART.exe
C:\Users\Admin\AppData\Roaming\AdobeART.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2600

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
Filesize
8B

MD5
82be4689ee514efd48495a099c701bbe

SHA1
3fac77ae97bec2fffcc6ed4d03eb440886b804e2

SHA256
2de0305d8b74943799dd06c099781fbdf5220e0a6b6c02222344f7a5741c32e6

SHA512
da2a86fa2c18e2927b6b299e27af8aaf1e6d0f2a21f9eab0dc9176c0d0ff5d7314a841fb7d1bb27297a180ee3c3029ca5470b584ce6f677cf361295083a3b1e5

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
f7a0b431d559f3b49ca6e69ec1df344f

SHA1
716acdcc834ad512e175f2b87ec87409bd66cd92

SHA256
16e3fb784a474ccd787e669c3117baec169cd5d3e5e53acf6540889539b8abee

SHA512
7704ddfa53cfa078771c35acee7549d545a49b5d16d3952312e3baf5bbb69c9c4614560e5cac621fd70cb982a6b3c12829653a73b3f7d31a7ad9e30e25f76eec

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Filesize
36KB

MD5
0fd492912e95d20941f96a49d493da9c

SHA1
3336bf0f29bde762b36b876488ddf3c562174462

SHA256
81d622108a3bd126a2ac9f101dcb37bc160141585e3f9e1e1ab7905ee6bc5e07

SHA512
831cd4319d607c5b030503ccde7f3fabc38d74c73b38228557495c3c611ae482e73a43f6c94267beb84b41b3b0e5c4f0a0f5202c6e59744657bff48de33d4745

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\68a27b558777a677920f88a3c34226e7efb0b87c90c9ff9143c992c98848f38f.exe
Filesize
781KB

MD5
a8a7c72473da536ed5af5168b890ef51

SHA1
9f7793ca3ef966284c9621bcfb1b6b98cdf4f8dd

SHA256
78175d8bac0c2a60dcd011b294e4b3127677e134a3a60c154f509b6021ab1244

SHA512
0501058922d22b251a4ae9d59bb321bbf446632f1e633d4ebb478ce42b3d9e9513644884d73342356cbc61089084780616e770d964e95143729e1b11f5865cbc

Download Submit
memory/1748-47-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1748-14-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2176-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2176-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-158-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2580-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2600-150-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2692-148-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2692-165-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2692-195-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2964-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download