neshta | 99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f

General

Target

df330ab2a2e5aa4ac947315ee3f93992.exe
Size

230KB
MD5

df330ab2a2e5aa4ac947315ee3f93992
SHA1

76b5d1eee342b47fe58e2136a067712cbd210351
SHA256

99a897c5b8f53e1d04e51107c748a4f385b754a852ca6b605559f5b50820a64f
SHA512

e65f573d68e8f198024028d553210095173d1551e6074b60d9543977116a0286f75641f4692049a49e6cd03729b001027136419d6cf0c71645e800d5522ed895

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

df330ab2a2e5aa4ac947315ee3f93992.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	df330ab2a2e5aa4ac947315ee3f93992.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Loads dropped DLL 1 IoCs

Processes:

df330ab2a2e5aa4ac947315ee3f93992.exe

pid process

3408 df330ab2a2e5aa4ac947315ee3f93992.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3408	df330ab2a2e5aa4ac947315ee3f93992.exe

Drops file in Program Files directory 53 IoCs

Processes:

df330ab2a2e5aa4ac947315ee3f93992.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	df330ab2a2e5aa4ac947315ee3f93992.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	df330ab2a2e5aa4ac947315ee3f93992.exe

Drops file in Windows directory 1 IoCs

Processes:

df330ab2a2e5aa4ac947315ee3f93992.exe

description ioc process

File opened for modification C:\Windows\svchost.com df330ab2a2e5aa4ac947315ee3f93992.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	df330ab2a2e5aa4ac947315ee3f93992.exe

Modifies registry class 1 IoCs

Processes:

df330ab2a2e5aa4ac947315ee3f93992.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	df330ab2a2e5aa4ac947315ee3f93992.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

df330ab2a2e5aa4ac947315ee3f93992.exe

description	pid	process	target process
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe
PID 3408 wrote to memory of 1132	3408	df330ab2a2e5aa4ac947315ee3f93992.exe	df330ab2a2e5aa4ac947315ee3f93992.exe

C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe
"C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe
"C:\Users\Admin\AppData\Local\Temp\df330ab2a2e5aa4ac947315ee3f93992.exe"
2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsgFA40.tmp\oxtrp.dll
MD5
c2c405109b51233def2b5bf15ffd2308

SHA1
14debd98b26edba7788aafcaa41f1d32e8fe1cbc

SHA256
7e16ed39ba05c887e6d1b470b6cc8de06fd67ed81fb2da85f645cfbc643ca154

SHA512
1c209d4110dc5295d5ba951cf5a22d62ab1bf65d9b5bf66f4c6a2e8e2f2cfd339f06cddf6b956d5f9a567ec8206d607753833ce94e14149d5bbc1b596c91b80b

Download Submit
memory/1132-119-0x0000000000000000-mapping.dmp

Download
memory/1132-120-0x00000000001D0000-0x00000000001EB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads