neshta | 88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611

General

Target

88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
Size

286KB
MD5

3fcdb9dd3a2aaba8fb7e9cfe3c5d4523
SHA1

f952a62775f4d0781a4595c1fb4b48161f569744
SHA256

88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611
SHA512

c6c21246d6d95f8c845caa599529b32e127eebf2917ba54a02a8f966c277adfd82fe041a68daa42b04c2bf918fa4a9d6f453d8d264548a859692a01d4327bc29

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 53 IoCs

Processes:

88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe

Drops file in Windows directory 1 IoCs

Processes:

88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe

description ioc process

File opened for modification C:\Windows\svchost.com 88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe

Modifies registry class 1 IoCs

Processes:

88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe

C:\Users\Admin\AppData\Local\Temp\88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe
"C:\Users\Admin\AppData\Local\Temp\88fba2ddc7394cdf2fdc073a969aebe11e20bf8844d486f04c5a22818716b611.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2676