neshta | 3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace

General

Target

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
Size

505KB
MD5

b2d38a74c8a592f154e92009f0fdb5c1
SHA1

e647a1318feafff85b3bb5ca20fe62da27fcfd87
SHA256

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace
SHA512

2d7961419ecd48b971921fe8a3c930d47d2e830c823a4102d65f36551cb7b75f4b0a7b11369bb39c4672e66e7fcc2e364db9e7b7ba49d0410270b0bc18d3e48d

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

pid process

748 3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 53 IoCs

Processes:

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

Drops file in Windows directory 1 IoCs

Processes:

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

description ioc process

File opened for modification C:\Windows\svchost.com 3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

Modifies registry class 1 IoCs

Processes:

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

pid	process
748	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
748	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

description	pid	process	target process
PID 2592 wrote to memory of 748	2592	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
PID 2592 wrote to memory of 748	2592	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
PID 2592 wrote to memory of 748	2592	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe	3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe

C:\Users\Admin\AppData\Local\Temp\3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
"C:\Users\Admin\AppData\Local\Temp\3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\3582-490\3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
MD5
d1589d8a87b1a7bb6989d2500fe2ceb3

SHA1
354ac1272b8bb1bf7621c08c1ef4c3a63f9bbd5f

SHA256
5d1339e2ccaf299ce6231d5a5c2420d1d970376b3fb0497590c68e8189a0f57b

SHA512
a45c1385ec1040297dac6836bc6462142a2134264615e894045dafffe63b3e2c762152432aaf00fde928071c43597eff4f95b6ff6ef2a7a12268f8444f5edc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3e0789d85857d6c3e7ec6fbdabe74bc904fee79dcf05e4d9206a8606fde75ace.exe
MD5
d1589d8a87b1a7bb6989d2500fe2ceb3

SHA1
354ac1272b8bb1bf7621c08c1ef4c3a63f9bbd5f

SHA256
5d1339e2ccaf299ce6231d5a5c2420d1d970376b3fb0497590c68e8189a0f57b

SHA512
a45c1385ec1040297dac6836bc6462142a2134264615e894045dafffe63b3e2c762152432aaf00fde928071c43597eff4f95b6ff6ef2a7a12268f8444f5edc70

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads