neshta | 0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c

General

Target

0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
Size

285KB
MD5

f11b8adaac506fa53290d12f459796e9
SHA1

5dcc4a95d33dd666779565b7f26124555e2db2ad
SHA256

0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c
SHA512

d8bff20ff6a24983a0bfc19dced817c5c779e13812dc276f9dcb71a5d721d6176b37deba49e87447d9b011548264bd1f1fda4255405b2cd66acee90124cc89a3

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 53 IoCs

Processes:

0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe

Drops file in Windows directory 1 IoCs

Processes:

0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe

description ioc process

File opened for modification C:\Windows\svchost.com 0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe

Modifies registry class 1 IoCs

Processes:

0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe

C:\Users\Admin\AppData\Local\Temp\0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe
"C:\Users\Admin\AppData\Local\Temp\0a9c7bc8ba4fff94b60c407df588b0cd068cdb851e000947fe1ee21f5a90f17c.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4052