neshta | cc54829cbec8d75c6c2adc7e77b252dd9a3975417c8871ec68d324656e8e2e37

General

Target

New Inquiry.exe
Size

247KB
MD5

905db5df8d7a31ccd2c15fd5b90d3cd2
SHA1

06ec98964ce0e4d64cfcf68b579fa28be7207a15
SHA256

997d1ffb13955190f89d7d6c712af1d2b8988cffdda524963f0963b4eb761d5a
SHA512

de02d56b22651e80442d06d4ad2d10a209e261cb048139f6d8c1822783cdee3f365186bfae4901549da51a9269af1daa9929ea7eb114a2bb09406975d5277142

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1316-57-0x0000000000000000-mapping.dmp	family_neshta
behavioral1/memory/1316-58-0x00000000001C0000-0x00000000001DB000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Loads dropped DLL 1 IoCs

Processes:

New Inquiry.exe

pid process

660 New Inquiry.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

304 1316 WerFault.exe New Inquiry.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

304 WerFault.exe
304 WerFault.exe
304 WerFault.exe
304 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

304 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 304 WerFault.exe

pid	process
660	New Inquiry.exe

pid	pid_target	process	target process
304	1316	WerFault.exe	New Inquiry.exe

pid	process
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe

pid	process
304	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	304	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

New Inquiry.exeNew Inquiry.exe

description	pid	process	target process
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 660 wrote to memory of 1316	660	New Inquiry.exe	New Inquiry.exe
PID 1316 wrote to memory of 304	1316	New Inquiry.exe	WerFault.exe
PID 1316 wrote to memory of 304	1316	New Inquiry.exe	WerFault.exe
PID 1316 wrote to memory of 304	1316	New Inquiry.exe	WerFault.exe
PID 1316 wrote to memory of 304	1316	New Inquiry.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\New Inquiry.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:304

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsnCE86.tmp\xpgjtt.dll
MD5
cf4d50071a2c2fdfe2cbd07d42b4aaea

SHA1
214f85e9f8b1922333bd866d23bb97dbd8e12487

SHA256
44d8dedf859f5e3a174ae3f617cc4cc8fbfbc40f88d4a71f16c64c6b14e6b7a4

SHA512
a17f4c72c390c14044baddb53723d2fc3383ec7a2b5a89f66870f5dbb42863e0d259fec77013e8f5bd00739721e11fd8f38322e9f8a395d59dd9405927205d98

Download Submit
memory/304-67-0x0000000000000000-mapping.dmp

Download
memory/304-69-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/660-55-0x0000000076341000-0x0000000076343000-memory.dmp

Filesize
8KB

Download
memory/1316-57-0x0000000000000000-mapping.dmp

Download
memory/1316-58-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/1316-62-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing