neshta | 3fa53f6f68e280013eb9651a53a3c40a16fa99f7689d0761b3f95b2de68b22cf | Triage

Analysis

max time kernel
54s
max time network
66s
platform
windows10_x64
resource
win10v20210410
submitted
06-07-2021 15:49

Sharing

Report Analysis Logs

General

Target

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
Size

700KB
MD5

4c33a8d7ea67f81000eee8b1c9475f9c
SHA1

a96a1a2cd37af1a04fafc9104b59661924c2c2a0
SHA256

3fa53f6f68e280013eb9651a53a3c40a16fa99f7689d0761b3f95b2de68b22cf
SHA512

d93206e78dbfc4e1ca1633172c7aeb93ba6270822e7f8880220599731d9db4299ea85e1d14d59929ebe6e9b812d09f8db180df4fa4f2bbc93fc4d8a0aad87cf0

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2128-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2128-126-0x00000000004080E4-mapping.dmp	family_neshta
behavioral2/memory/2128-127-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

Modify Registry

Change Default File Association

Processes:

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

description	pid	process	target process
PID 3424 set thread context of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

Drops file in Program Files directory 55 IoCs

Processes:

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Temp\GUM1CBD.tmp\GOFB2B~1.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

Drops file in Windows directory 1 IoCs

Processes:

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

description ioc process

File opened for modification C:\Windows\svchost.com SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

pid	process
3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

description pid process

Token: SeDebugPrivilege 3424 SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

description	pid	process	target process
PID 3424 wrote to memory of 3120	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 3120	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 3120	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 3364	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 3364	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 3364	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
PID 3424 wrote to memory of 2128	3424	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe	SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
"{path}"
2⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
"{path}"
2⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.ERY.genEldorado.22139.11301.exe
"{path}"
2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2128-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2128-126-0x00000000004080E4-mapping.dmp

Download
memory/3424-121-0x00000000024C0000-0x00000000024C2000-memory.dmp

Filesize
8KB

Download
memory/3424-119-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3424-120-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3424-114-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/3424-122-0x000000000A190000-0x000000000A191000-memory.dmp

Filesize
4KB

Download
memory/3424-123-0x000000000ABF0000-0x000000000AC74000-memory.dmp

Filesize
528KB

Download
memory/3424-124-0x0000000004CA0000-0x0000000004CDD000-memory.dmp

Filesize
244KB

Download
memory/3424-118-0x0000000009EF0000-0x0000000009EF1000-memory.dmp

Filesize
4KB

Download
memory/3424-117-0x000000000A3F0000-0x000000000A3F1000-memory.dmp

Filesize
4KB

Download
memory/3424-116-0x0000000004960000-0x00000000049C2000-memory.dmp

Filesize
392KB

Download