neshta | c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6

General

Target

c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
Size

130KB
MD5

a38d20580f01d0b556a8e8a466d9e693
SHA1

049fe5ec1aeb8b17c28de14c03e10b7509e8f161
SHA256

c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6
SHA512

c4390b78b2010a336ee8f75c59ef9e8f664009747798642c17ac7bd4f72fc030bc485e530c410372780f8e941e4ee6b317d6b45b8c5235b545c240281bbe54e3

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

pid process

2068 c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

pid	process
2068	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

Drops file in Program Files directory 16 IoCs

Processes:

c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

Drops file in Windows directory 7 IoCs

Processes:

svchost.exec259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\svchost.com	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4380	svchost.exe
Token: SeCreatePagefilePrivilege	4380	svchost.exe
Token: SeShutdownPrivilege	4380	svchost.exe
Token: SeCreatePagefilePrivilege	4380	svchost.exe
Token: SeShutdownPrivilege	4380	svchost.exe
Token: SeCreatePagefilePrivilege	4380	svchost.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exec259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.execmd.exe

description	pid	process	target process
PID 4292 wrote to memory of 2068	4292	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
PID 4292 wrote to memory of 2068	4292	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
PID 4292 wrote to memory of 2068	4292	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
PID 2068 wrote to memory of 4200	2068	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe	cmd.exe
PID 2068 wrote to memory of 4200	2068	c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe	cmd.exe
PID 4200 wrote to memory of 4180	4200	cmd.exe	mode.com
PID 4200 wrote to memory of 4180	4200	cmd.exe	mode.com

C:\Users\Admin\AppData\Local\Temp\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
"C:\Users\Admin\AppData\Local\Temp\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\89E9.tmp\89EA.bat C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\system32\mode.com
mode con cols=70 lines=25
4⤵
PID:4180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
MD5
4b0cd05799ddbaf3472af06886058be9

SHA1
05e45158256dc0200eaf86ca61ac49a50499788d

SHA256
7150ebc1661db2d431ab7a11e6bfee9cf81ad6626f1a6a943143c7117f8a8d75

SHA512
6f322fc8d2cbadee9a9a294498e95fa5042c0db33151c434bb78076ff160a213772ad72b0a5a832c3f5bd06765a3a652a984022f5c906a63e0210cd65bd1b84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c259fddfbea12c7fe7aac0fd5b651c19c6a36a4ca8c8d56a1b11685a565fbba6.exe
MD5
4b0cd05799ddbaf3472af06886058be9

SHA1
05e45158256dc0200eaf86ca61ac49a50499788d

SHA256
7150ebc1661db2d431ab7a11e6bfee9cf81ad6626f1a6a943143c7117f8a8d75

SHA512
6f322fc8d2cbadee9a9a294498e95fa5042c0db33151c434bb78076ff160a213772ad72b0a5a832c3f5bd06765a3a652a984022f5c906a63e0210cd65bd1b84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\89E9.tmp\89EA.bat
MD5
f0d9b143a0365b6e17b482c97e2f4781

SHA1
ce29368fda40f9a496878171440c88e25487ec28

SHA256
b093c2635c7d5ad1aa6e76f973bc8cc611098972c334d48d27f03073787de884

SHA512
71176e2e73112aec294e4bdf3fb9517060176cc07d11c43e169dff9b2840dc54390a4c95d96b5e439e74071ec5c5dd4f2c86e82007bda16d6ffffd5cc69ea11a

Download Submit
memory/4380-133-0x000001DC4D3A0000-0x000001DC4D3B0000-memory.dmp

Filesize
64KB

Download
memory/4380-134-0x000001DC4DA20000-0x000001DC4DA30000-memory.dmp

Filesize
64KB

Download
memory/4380-135-0x000001DC50120000-0x000001DC50124000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads