neshta | 6449b0b19510e8c167d7bbc8a8471f81deadda1730c5889147589db21f30cd76

General

Target

ORDER OCT 28,2021.exe
Size

502KB
MD5

947b72694e25a2fefcfadd3aeec7c0a1
SHA1

e1263f029a1d7a673218be6ba58f8f5c53b911fb
SHA256

6449b0b19510e8c167d7bbc8a8471f81deadda1730c5889147589db21f30cd76
SHA512

e4b2084a5259495bbcdebebaad6ca8d8e554374ce21b65ba52a4fec6d1ed5e626c36ef06447331b09fdb8a4651406aab91332068138d7e30c3b947221b7dcaab

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/920-56-0x0000000000000000-mapping.dmp	family_neshta
behavioral1/memory/920-57-0x00000000001C0000-0x00000000001DB000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Loads dropped DLL 1 IoCs

Processes:

ORDER OCT 28,2021.exe

pid process

756 ORDER OCT 28,2021.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1836 920 WerFault.exe ORDER OCT 28,2021.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1836 WerFault.exe
1836 WerFault.exe
1836 WerFault.exe
1836 WerFault.exe
1836 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1836 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1836 WerFault.exe

pid	process
756	ORDER OCT 28,2021.exe

pid	pid_target	process	target process
1836	920	WerFault.exe	ORDER OCT 28,2021.exe

pid	process
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe
1836	WerFault.exe

pid	process
1836	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1836	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ORDER OCT 28,2021.exeORDER OCT 28,2021.exe

description	pid	process	target process
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 756 wrote to memory of 920	756	ORDER OCT 28,2021.exe	ORDER OCT 28,2021.exe
PID 920 wrote to memory of 1836	920	ORDER OCT 28,2021.exe	WerFault.exe
PID 920 wrote to memory of 1836	920	ORDER OCT 28,2021.exe	WerFault.exe
PID 920 wrote to memory of 1836	920	ORDER OCT 28,2021.exe	WerFault.exe
PID 920 wrote to memory of 1836	920	ORDER OCT 28,2021.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER OCT 28,2021.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1836

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst5E28.tmp\brkwwr.dll
MD5
526d857a1bdb294a6be8ea0c40005bfa

SHA1
23f31727a792a7deb57d84c730ee6a21ab84ca55

SHA256
2fe94d81ec07813f84c6b5a310fa0c58175bc5a4f73b464d6e93c321474038de

SHA512
b3a0b21377d00edcc0b599998399a8ea4fa6a936680621e7e9b167d6373dc72069b1d3a174019cec024237797d7e8be4429365465ae34077b055e61759031ccd

Download Submit
memory/756-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/920-56-0x0000000000000000-mapping.dmp

Download
memory/920-57-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/920-61-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/1836-66-0x0000000000000000-mapping.dmp

Download
memory/1836-68-0x0000000000230000-0x0000000000290000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing