neshta | 7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c

General

Target

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
Size

6.2MB
MD5

2852c439674207cf1e5b574f50883190
SHA1

d6efdb98c84885fbf4744dd8b8676438471ef991
SHA256

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c
SHA512

928fbaf2fe6ba6ab80e55ab6d35c83e827cbffd117e972a0a3bb2141e361fa61e3ca80daf1de3712cca02a3e75173163597604a29de91ce2eace8161a5ee126c

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

pid process

1324 7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

pid	process
1324	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

Drops file in Windows directory 1 IoCs

Processes:

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

description ioc process

File opened for modification C:\Windows\svchost.com 7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

Modifies registry class 1 IoCs

Processes:

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

description	pid	process	target process
PID 3256 wrote to memory of 1324	3256	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
PID 3256 wrote to memory of 1324	3256	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
PID 3256 wrote to memory of 1324	3256	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe	7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe

C:\Users\Admin\AppData\Local\Temp\7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
"C:\Users\Admin\AppData\Local\Temp\7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\3582-490\7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe"
2⤵
- Executes dropped EXE
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\7e552863cf2eedefc01fb519520b3f0ad066703772043204b358866a58533e4c.exe
Filesize
6.2MB

MD5
2fbe8348a03b7440eb5b025abae7f7d1

SHA1
caf51ef364615c4a07baa5789b753ae8bafa0149

SHA256
c68bb9b97e36b5daab3d100f427a7977a535d9b4ea20890fbb755f39d0421e94

SHA512
0dfe04ca094ca66498a84d778c953dec26a585793535c382422aa157d52adc61129ac9ff9ef7f55f2fbcaf12c98b896c54aaaff091f5d9f96ecbe19e1783a67c

Download Submit
memory/1324-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads