neshta | 9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda

General

Target

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
Size

306KB
MD5

1b2fea5d24b3d85328af477a087530da
SHA1

246d81f1cf1c919fbd4a46bd8fb0d92587db59b8
SHA256

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda
SHA512

c721fc9f135c386240a713aaeeb20e6f25b863f14bb419660ccdbcb8045db4c5f266e25b9baf594bd065c9ea683f86e7189d3a73d096689d4ea7a6e14e774d7c

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

pid process

4640 9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

pid	process
4640	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

Drops file in Windows directory 1 IoCs

Processes:

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

description ioc process

File opened for modification C:\Windows\svchost.com 9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1220 4640 WerFault.exe 9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

pid	pid_target	process	target process
1220	4640	WerFault.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

Modifies registry class 1 IoCs

Processes:

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

description	pid	process	target process
PID 4828 wrote to memory of 4640	4828	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
PID 4828 wrote to memory of 4640	4828	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
PID 4828 wrote to memory of 4640	4828	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe	9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

C:\Users\Admin\AppData\Local\Temp\9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
"C:\Users\Admin\AppData\Local\Temp\9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\3582-490\9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe"
2⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1144
3⤵
- Program crash
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4640 -ip 4640
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

Filesize
266KB

MD5
60e683e53b3ab3d96d1dcd5ae2c15ffb

SHA1
0ed0d483458721f725f767358bfcd54ea3521a23

SHA256
d07226f508c2f21d5edad1bc9ffbb04b893c4cb1b877b2ee6b35a01e5e6c84b7

SHA512
842e5b63e7a818b28d3e1839a9b6c824cdb4ed92c1457f8ce52e4fcef3ebba2124527a36ab82ab3f13976b2bbee2050763daa8921986a286bcb01e60fa2c7965

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9731bcb4be13a02b6b0c2697431d1c0851e41efbe8e4784b98b6947fe1257bda.exe

Filesize
266KB

MD5
60e683e53b3ab3d96d1dcd5ae2c15ffb

SHA1
0ed0d483458721f725f767358bfcd54ea3521a23

SHA256
d07226f508c2f21d5edad1bc9ffbb04b893c4cb1b877b2ee6b35a01e5e6c84b7

SHA512
842e5b63e7a818b28d3e1839a9b6c824cdb4ed92c1457f8ce52e4fcef3ebba2124527a36ab82ab3f13976b2bbee2050763daa8921986a286bcb01e60fa2c7965

Download Submit
memory/4640-130-0x0000000000000000-mapping.dmp

Download
memory/4640-133-0x0000000000EE0000-0x0000000000F2C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads