neshta | 626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8

General

Target

626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
Size

233KB
MD5

60586b6f510cfc8b43878e1a2a7deed4
SHA1

b0c86c18cbe5ef0d32c8bd937ead5a9c71419422
SHA256

626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8
SHA512

324888c2edd8b91df6caa435d1637673f927b22073a4b9d4618de60f802e3cabc5795b2a49efcb48f62cf052a2fd175334607759e2a421008b179f997d8ff584

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 53 IoCs

Processes:

626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe

Drops file in Windows directory 1 IoCs

Processes:

626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe

description ioc process

File opened for modification C:\Windows\svchost.com 626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe

Modifies registry class 1 IoCs

Processes:

626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe

C:\Users\Admin\AppData\Local\Temp\626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe
"C:\Users\Admin\AppData\Local\Temp\626998c3dd9fa7fff9c53ebce0aa1c01d92ac4317efd466c8645ddbe2fceaea8.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3348