neshta | 5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce

General

Target

ExpServer.exe
Size

184KB
MD5

f201c71f9389d996a80ce65a17353cbb
SHA1

ba660d35e0e7f9e0ab84cdb6d869463c5bc77c19
SHA256

5b3f2d209915f215a7a52f93f9103acdbb0c3164a43076656763e3384a50bdce
SHA512

4c86519951c1d39d0ce7c1a1bb1738704ba8957dc1b989e50e5c411676bf12d6284fd7bbf8789a13adc1d20f642e313d4a4071c08113a61edc6ccd93a058111b

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ExpServer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ExpServer.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

ExpServer.exe

pid process

3904 ExpServer.exe

pid	process
3904	ExpServer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ExpServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ExpServer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

ExpServer.exeExpServer.exe

description	ioc	process
File created	C:\Program Files (x86)\Arrange\Null.jpg	ExpServer.exe
File opened for modification	C:\Program Files (x86)\Arrange\Null.jpg	ExpServer.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\COOKIE~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~2.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13153~1.55\MICROS~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	ExpServer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\BHO\IE_TO_~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\IDENTI~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\msedge.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\MSEDGE~3.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\970107~1.55\NOTIFI~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MICROS~3.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13153~1.55\MI391D~1.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	ExpServer.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	ExpServer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ExpServer.exe

Drops file in Windows directory 1 IoCs

Processes:

ExpServer.exe

description ioc process

File opened for modification C:\Windows\svchost.com ExpServer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	ExpServer.exe

Modifies registry class 1 IoCs

Processes:

ExpServer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ExpServer.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ExpServer.exe

description	pid	process	target process
PID 1828 wrote to memory of 3904	1828	ExpServer.exe	ExpServer.exe
PID 1828 wrote to memory of 3904	1828	ExpServer.exe	ExpServer.exe
PID 1828 wrote to memory of 3904	1828	ExpServer.exe	ExpServer.exe

C:\Users\Admin\AppData\Local\Temp\ExpServer.exe
"C:\Users\Admin\AppData\Local\Temp\ExpServer.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\3582-490\ExpServer.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\ExpServer.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\ExpServer.exe
MD5
6c7a8e07ee50716bcac297032deb547e

SHA1
6b67b48969e1e083ac1f9ea74a1ff5fc9c6497a4

SHA256
3afc44005a08136d9385313daf6fb3e1207661f59e9bdb36621d7a3c7bc35439

SHA512
bb82f0c4aebcd8cc3db6115f935cb5d902509ea746bd868b522f39637c05a680dcd031a5dd122bcd866a5297727095fc56532df2a43d5c746d4c535992fa6597

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ExpServer.exe
MD5
6c7a8e07ee50716bcac297032deb547e

SHA1
6b67b48969e1e083ac1f9ea74a1ff5fc9c6497a4

SHA256
3afc44005a08136d9385313daf6fb3e1207661f59e9bdb36621d7a3c7bc35439

SHA512
bb82f0c4aebcd8cc3db6115f935cb5d902509ea746bd868b522f39637c05a680dcd031a5dd122bcd866a5297727095fc56532df2a43d5c746d4c535992fa6597

Download Submit
memory/3904-132-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads