neshta | afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709

General

Target

781932d5e3cf1b9e902ee2ea8c48f572.exe
Size

234KB
MD5

781932d5e3cf1b9e902ee2ea8c48f572
SHA1

70a244d771d7cfa61b2fa3d2a0ac386ea2bf0393
SHA256

afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709
SHA512

ba05f74a081a6e4fc12b4c00f388da141bdfa61074ecf379421cdcc72d6f546e6067e07877332e3456bf27a3b17d5549ade76b04cbf2de2753f39fbdf31082bc

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-56-0x0000000000000000-mapping.dmp	family_neshta
behavioral1/memory/1748-57-0x00000000001C0000-0x00000000001DB000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Loads dropped DLL 1 IoCs

Processes:

781932d5e3cf1b9e902ee2ea8c48f572.exe

pid process

1612 781932d5e3cf1b9e902ee2ea8c48f572.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1328 1748 WerFault.exe 781932d5e3cf1b9e902ee2ea8c48f572.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1328 WerFault.exe
1328 WerFault.exe
1328 WerFault.exe
1328 WerFault.exe
1328 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1328 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1328 WerFault.exe

pid	process
1612	781932d5e3cf1b9e902ee2ea8c48f572.exe

pid	pid_target	process	target process
1328	1748	WerFault.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe

pid	process
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe
1328	WerFault.exe

pid	process
1328	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1328	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

781932d5e3cf1b9e902ee2ea8c48f572.exe781932d5e3cf1b9e902ee2ea8c48f572.exe

C:\Users\Admin\AppData\Local\Temp\781932d5e3cf1b9e902ee2ea8c48f572.exe
"C:\Users\Admin\AppData\Local\Temp\781932d5e3cf1b9e902ee2ea8c48f572.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\781932d5e3cf1b9e902ee2ea8c48f572.exe
"C:\Users\Admin\AppData\Local\Temp\781932d5e3cf1b9e902ee2ea8c48f572.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1328

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiD431.tmp\azxcktqvoyc.dll
MD5
26ffa4722b447fff084a239b44f7cac9

SHA1
39f7ad0bf15f3dcf6e67141108476abea370f7e3

SHA256
77aba174986d7969103ae452fd1193ccb9dc495a4579fa4b7f2939e367b33121

SHA512
118068c79e021899abeeb9a17e548b9887af536fc9b8a9a35358ef85980d31fc5192f989a4d5d1a3826c63882888cdc10ac3c5f3918a4172bbf547643ff75532

Download Submit
memory/1328-66-0x0000000000000000-mapping.dmp

Download
memory/1328-68-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1612-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1748-56-0x0000000000000000-mapping.dmp

Download
memory/1748-57-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/1748-61-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download

description	pid	process	target process
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1612 wrote to memory of 1748	1612	781932d5e3cf1b9e902ee2ea8c48f572.exe	781932d5e3cf1b9e902ee2ea8c48f572.exe
PID 1748 wrote to memory of 1328	1748	781932d5e3cf1b9e902ee2ea8c48f572.exe	WerFault.exe
PID 1748 wrote to memory of 1328	1748	781932d5e3cf1b9e902ee2ea8c48f572.exe	WerFault.exe
PID 1748 wrote to memory of 1328	1748	781932d5e3cf1b9e902ee2ea8c48f572.exe	WerFault.exe
PID 1748 wrote to memory of 1328	1748	781932d5e3cf1b9e902ee2ea8c48f572.exe	WerFault.exe

Analysis

Sharing