neshta | e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f

Analysis

max time kernel
26s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe
Size

2.4MB
MD5

66b936cb3969b8801feafb1dae2152dd
SHA1

4988d0840f4a7867bcf2141ab03b2fe0261e0c2e
SHA256

e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f
SHA512

2efa5b2fefd644c933f04a8f6ed8862a88e7e1514be76620c7a242dbd3d43d03e2ecaef1b501ccab7756167fd18688d1c1122461aac1071476b1585a01f08d41

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

pid process

2744 e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

pid	process
2744	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

Drops file in Windows directory 1 IoCs

Processes:

e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

description ioc process

File opened for modification C:\Windows\svchost.com e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5072 2744 WerFault.exe e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

pid	pid_target	process	target process
5072	2744	WerFault.exe	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

Modifies registry class 1 IoCs

Processes:

e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

description	pid	process	target process
PID 3600 wrote to memory of 2744	3600	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe
PID 3600 wrote to memory of 2744	3600	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe
PID 3600 wrote to memory of 2744	3600	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe	e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

C:\Users\Admin\AppData\Local\Temp\e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe
"C:\Users\Admin\AppData\Local\Temp\e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\3582-490\e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe"
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 460
3⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2744 -ip 2744
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

Filesize
1.9MB

MD5
bee021462a23388c4786afd849a9a148

SHA1
486b94c00de2f7a188a6ebd7a6e324582263e1f5

SHA256
09f3d3ff394eb8f843928b81960c79700ffa7f3f49fccdfca4af71eb2a38518f

SHA512
0da8e1d59f19465ee3470c89280aab9995095e83139797c702b65f427b1f6a6ab260fe064b04e98bdcdabed4906ccc1ff9b2a2e83c0dadb5b71b68854ac4353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\e7000e328ff4f4c4aca5e0f096cd873be6225ffd694f4723f2e48b5288849b3f.exe

Filesize
1.9MB

MD5
977f8554275c3713d73754165f936d5f

SHA1
ea9985da8fd8b58121f9e2b56329419acacc52c4

SHA256
110e3199dfadf3fe50074b71948f3fd104240fe953ed5e56a8d28925dcb83ef5

SHA512
717372a137b6526d573d4a550f708641d4b3e4d81a64412b001432da63f348a62ab472994de761030f78d7c64dcf69e78721b6fac5ffb95d9f6d09d1789dcb82

Download Submit
memory/2744-133-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-139-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-142-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-145-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-151-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-153-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-157-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-163-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-167-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-170-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-174-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-176-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-181-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-183-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-185-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-184-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-186-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-191-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-194-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-195-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-196-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-193-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-192-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-190-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-189-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-188-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-187-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-182-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-180-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-179-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-178-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-177-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-175-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-172-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-173-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-171-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-168-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-169-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-166-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-165-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-164-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-162-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-161-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-160-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-159-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-158-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-156-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-154-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-155-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-152-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-150-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-149-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-148-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-147-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-146-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-144-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-143-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-140-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-141-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-138-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-135-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-134-0x0000000002310000-0x0000000002410000-memory.dmp

Filesize
1024KB

Download
memory/2744-130-0x0000000000000000-mapping.dmp

Download
memory/2744-341-0x000000007FE30000-0x000000007FE38000-memory.dmp

Filesize
32KB

Download
memory/2744-342-0x000000007FC40000-0x000000007FD0C000-memory.dmp

Filesize
816KB

Download
memory/2744-343-0x0000000006B20000-0x00000000070C4000-memory.dmp

Filesize
5.6MB

Download
memory/2744-344-0x0000000007390000-0x0000000007422000-memory.dmp

Filesize
584KB

Download