neshta | 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f

Analysis

max time kernel
146s
max time network
132s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
Size

162KB
MD5

5a68f149c193715d13a361732f5adaa1
SHA1

595acedc67537f8c76f9d7716f2ff0a64a44da77
SHA256

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f
SHA512

e14ce2baed8aebf651f6fb722bf2913dedd06aeb23555eaf75d4edfc772dd18161257c809903fbfcb2f5515fdd00f33283570b2431a1162151c239dd145a2551

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exejavaj.exe

pid process

2004 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
288 javaj.exe

pid	process
2004	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
288	javaj.exe

Loads dropped DLL 5 IoCs

Processes:

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

pid	process
1148	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
1148	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
2004	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
2004	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
1148	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exejavaj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaj = "C:\\Users\\Admin\\AppData\\Roaming\\usercache\\javaj.exe"	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaj = "C:\\Users\\Admin\\AppData\\Roaming\\usercache\\javaj.exe"	javaj.exe

Drops file in Program Files directory 20 IoCs

Processes:

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

Drops file in Windows directory 1 IoCs

Processes:

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

description ioc process

File opened for modification C:\Windows\svchost.com 45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

Modifies registry class 1 IoCs

Processes:

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

javaj.exe

pid	process
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe
288	javaj.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe

description	pid	process	target process
PID 1148 wrote to memory of 2004	1148	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
PID 1148 wrote to memory of 2004	1148	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
PID 1148 wrote to memory of 2004	1148	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
PID 1148 wrote to memory of 2004	1148	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
PID 2004 wrote to memory of 288	2004	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe	javaj.exe
PID 2004 wrote to memory of 288	2004	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe	javaj.exe
PID 2004 wrote to memory of 288	2004	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe	javaj.exe
PID 2004 wrote to memory of 288	2004	45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe	javaj.exe

C:\Users\Admin\AppData\Local\Temp\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
"C:\Users\Admin\AppData\Local\Temp\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Roaming\usercache\javaj.exe
"C:\Users\Admin\AppData\Roaming\usercache\javaj.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
MD5
5a97d62dc84ede64846ea4f3ad4d2f93

SHA1
a2c43e386b639fda382a954d10867439289fb235

SHA256
337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a

SHA512
a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
MD5
5a97d62dc84ede64846ea4f3ad4d2f93

SHA1
a2c43e386b639fda382a954d10867439289fb235

SHA256
337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a

SHA512
a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7

Download Submit
C:\Users\Admin\AppData\Roaming\bootstrap
MD5
a3069c7c56b08b56fdb32d7a4cfc4cce

SHA1
635789a8a9b0355e64257014573f39a52283f80e

SHA256
0199dea0ac6f6d46a1cbdbbd8757d6c4345a60737950340ad4631fbcb72725d2

SHA512
e5c72ce9ab9c3dde83b99f992be54677b38072ccec78cb984695ba05200581331eb16afe680167ca08078cdc44fc04e6abeff6a482bafb719b42ef6c495cb469

Download Submit
C:\Users\Admin\AppData\Roaming\usercache\javaj.exe
MD5
5a97d62dc84ede64846ea4f3ad4d2f93

SHA1
a2c43e386b639fda382a954d10867439289fb235

SHA256
337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a

SHA512
a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7

Download Submit
C:\Users\Admin\AppData\Roaming\usercache\javaj.exe
MD5
5a97d62dc84ede64846ea4f3ad4d2f93

SHA1
a2c43e386b639fda382a954d10867439289fb235

SHA256
337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a

SHA512
a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
MD5
5a97d62dc84ede64846ea4f3ad4d2f93

SHA1
a2c43e386b639fda382a954d10867439289fb235

SHA256
337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a

SHA512
a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\45392f2ce54f822d8209c60efbb457d84a33517aecc35ae6c01af1aebb43ad7f.exe
MD5
5a97d62dc84ede64846ea4f3ad4d2f93

SHA1
a2c43e386b639fda382a954d10867439289fb235

SHA256
337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a

SHA512
a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7

Download Submit
\Users\Admin\AppData\Roaming\usercache\javaj.exe
MD5
5a97d62dc84ede64846ea4f3ad4d2f93

SHA1
a2c43e386b639fda382a954d10867439289fb235

SHA256
337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a

SHA512
a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7

Download Submit
\Users\Admin\AppData\Roaming\usercache\javaj.exe
MD5
5a97d62dc84ede64846ea4f3ad4d2f93

SHA1
a2c43e386b639fda382a954d10867439289fb235

SHA256
337b91c266580ee06b3e1863e7b4d02e1d30a53e9e4a09524d10c43f9bebe87a

SHA512
a2ef1ff80b62c731173eecafbe42a155e335da82177c3f646448fddffdd5a9bdff9a7050fa0a5b1c7f356705990c8265455c779951f6c35a2f2aa003ea8d24b7

Download Submit
memory/1148-55-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download