neshta | 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b

General

Target

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
Size

756KB
MD5

9f8e178a38f1dd82bffc1f355ea267de
SHA1

2334987b49fa6a0c7c6e3bdc0dd1dcb9d3f1effc
SHA256

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b
SHA512

f0abfe970b897cc4b594af264aa9f721e3b29d7e2b235fc06a2392a4a582f8afe03f257e48791e0b6c08aa2ade3f794d815657234f8d465efb97545b24ea5df1

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exesetup_wm.exe

pid process

2564 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
2348 setup_wm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2564	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
2348	setup_wm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

Drops file in Program Files directory 53 IoCs

Processes:

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

Drops file in Windows directory 1 IoCs

Processes:

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

description ioc process

File opened for modification C:\Windows\svchost.com 3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

Modifies registry class 1 IoCs

Processes:

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe

description	pid	process	target process
PID 2400 wrote to memory of 2564	2400	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
PID 2400 wrote to memory of 2564	2400	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
PID 2400 wrote to memory of 2564	2400	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
PID 2564 wrote to memory of 2348	2564	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe	setup_wm.exe
PID 2564 wrote to memory of 2348	2564	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe	setup_wm.exe
PID 2564 wrote to memory of 2348	2564	3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe	setup_wm.exe

C:\Users\Admin\AppData\Local\Temp\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
"C:\Users\Admin\AppData\Local\Temp\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\3582-490\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe /AnyOS
3⤵
- Executes dropped EXE
PID:2348

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
MD5
bfc13d7005e9db75b0f806c8f3b0d1d6

SHA1
8adb420b56288f80dde5a9fad6c4e0c860a37ae3

SHA256
a42909390664ebeeaa7e68fedf97b931bb248e5e6943997eaa67b2ed26d02319

SHA512
1691f66b3f953bbde16c043b48dd1ea79c507e7c8adfa4705f2934cd0cc83450103515441402041a1449a889660ae76a71362edf27b52c884e61f3f6852ea8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3a0ac18ca391cdf622b13a415c2f3666d0493d42e4db50a49e397e318c2eb27b.exe
MD5
bfc13d7005e9db75b0f806c8f3b0d1d6

SHA1
8adb420b56288f80dde5a9fad6c4e0c860a37ae3

SHA256
a42909390664ebeeaa7e68fedf97b931bb248e5e6943997eaa67b2ed26d02319

SHA512
1691f66b3f953bbde16c043b48dd1ea79c507e7c8adfa4705f2934cd0cc83450103515441402041a1449a889660ae76a71362edf27b52c884e61f3f6852ea8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe
MD5
fb7432d3076400b2389b8da2374e7b02

SHA1
5418be5da6c9d432a03bf5618ea5dee0eb344fd6

SHA256
4656693bf4b68e00daf30842566811120121f14da314a42af0e0e766c4463ecf

SHA512
31127874db4345a98969c37a939cbcc19f18caff16200949ce98f4dc96dc70c83680b2cc4e97044364065e48524afdcbd72b51e33e0f0a6089fc64723e7733f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_wm.exe
MD5
fb7432d3076400b2389b8da2374e7b02

SHA1
5418be5da6c9d432a03bf5618ea5dee0eb344fd6

SHA256
4656693bf4b68e00daf30842566811120121f14da314a42af0e0e766c4463ecf

SHA512
31127874db4345a98969c37a939cbcc19f18caff16200949ce98f4dc96dc70c83680b2cc4e97044364065e48524afdcbd72b51e33e0f0a6089fc64723e7733f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads