neshta | d590113d786474dda028703f5cf2dbf1e2f4c03ae06e4032af83bdefaa670216 | Triage

Submit
Reports

Overview

overview

Static

static

672300912.xlsx

windows7_x64

672300912.xlsx

windows10_x64

1

Sharing

General

Target

672300912.xlsx
Size

588KB
Sample

210918-bn3dnagga8
MD5

f45c96d01984b479b9c586f7686e0727
SHA1

4a0293afdd747d2b75bc686e6d2556a6271dc413
SHA256

d590113d786474dda028703f5cf2dbf1e2f4c03ae06e4032af83bdefaa670216
SHA512

2f6ceebc0872412716780f872303f3b1363c684ebc11c7c0771748d390ec37acd2c652f779e262622e9a9aec26a11a6ab99993255b5503059ca2cc1aa0d51fc5

Score

10^/10

neshta evasion persistence spyware

Static task

static1

Behavioral task

behavioral1

Sample

672300912.xlsx

Resource

win7-en-20210916

neshta evasion persistence spyware

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

672300912.xlsx

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  672300912.xlsx
- Size
  
  588KB
- MD5
  
  f45c96d01984b479b9c586f7686e0727
- SHA1
  
  4a0293afdd747d2b75bc686e6d2556a6271dc413
- SHA256
  
  d590113d786474dda028703f5cf2dbf1e2f4c03ae06e4032af83bdefaa670216
- SHA512
  
  2f6ceebc0872412716780f872303f3b1363c684ebc11c7c0771748d390ec37acd2c652f779e262622e9a9aec26a11a6ab99993255b5503059ca2cc1aa0d51fc5
Score

10^/10

neshta evasion persistence spyware
- Detect Neshta Payload
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Looks for VirtualBox Guest Additions in registry
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scheduled Task

Scripting

Persistence

Change Default File Association

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Scripting

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

neshtaevasionpersistencespyware

behavioral2

© 2018-2024

Terms | Privacy