neshta | 5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e

General

Target

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
Size

6.3MB
MD5

26ac6e542cc97c9247ce60cba996e504
SHA1

965887d6bfc8b7a6642ebd7e1731fc01052ecd5d
SHA256

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e
SHA512

fe5246b4e45434c7a1ff85214e7da216514530c251b846274b2dcade5b3bc2443ad9ed85621289b3fae99ef7fda7e167bd66e704eb1bc3b74200bcc8814db5bb

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

pid process

4560 5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

pid	process
4560	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

Loads dropped DLL 1 IoCs

Processes:

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

pid process

4560 5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

pid	process
4560	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

Drops file in Program Files directory 14 IoCs

Processes:

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

Drops file in Windows directory 1 IoCs

Processes:

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

description ioc process

File opened for modification C:\Windows\svchost.com 5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3436 4560 WerFault.exe 5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

pid	pid_target	process	target process
3436	4560	WerFault.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

Modifies registry class 1 IoCs

Processes:

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

description	pid	process	target process
PID 4100 wrote to memory of 4560	4100	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
PID 4100 wrote to memory of 4560	4100	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
PID 4100 wrote to memory of 4560	4100	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe	5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe

C:\Users\Admin\AppData\Local\Temp\5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
"C:\Users\Admin\AppData\Local\Temp\5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\3582-490\5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1048
3⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4560 -ip 4560
1⤵
PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
Filesize
6.3MB

MD5
1891c66d1e608fa5d9714c1f77d93b67

SHA1
31babb771070135b5511d88c5c23febd74a830a0

SHA256
061588df54483aad90ad5d4c21670126de7627fae0ef74853d1bab6f604bb633

SHA512
08f4cdb161654a1fab8eb4e29cb46787e38462d3e78560110e9ad7a783878dc9ab08dddcef457d1675bd21fb2b9fab3b1f4420ee23408c09bc61d49444167e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\5405fa8a3dc66e8e685b54e4dd9f0aaf0b635da79d8b707dffd08d9d9cde838e.exe
Filesize
6.3MB

MD5
1891c66d1e608fa5d9714c1f77d93b67

SHA1
31babb771070135b5511d88c5c23febd74a830a0

SHA256
061588df54483aad90ad5d4c21670126de7627fae0ef74853d1bab6f604bb633

SHA512
08f4cdb161654a1fab8eb4e29cb46787e38462d3e78560110e9ad7a783878dc9ab08dddcef457d1675bd21fb2b9fab3b1f4420ee23408c09bc61d49444167e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect8ce200b4.dll
Filesize
737KB

MD5
8ce200b443328abcda844fcc391da7b5

SHA1
2e1a9e44d4d47f18fd1b20a9e0cbfd301e0024ea

SHA256
248144dd3d877fd6c20e78bb2e4c5886b96d14903b4faef470a36da656fc83af

SHA512
b6ca44e0f1d54d230a2b7408831c7893287e0c55ab6a22141403ede8b599f6aa2195f45295fb21c0ec6a2c796ca18c65dcf8f4fd029dcea8475621999ed1a420

Download Submit
memory/4560-130-0x0000000000000000-mapping.dmp

Download
memory/4560-133-0x0000000000900000-0x0000000000F4A000-memory.dmp

Filesize
6.3MB

Download
memory/4560-135-0x00000000066C0000-0x0000000006C64000-memory.dmp

Filesize
5.6MB

Download
memory/4560-136-0x000000000578C000-0x000000000578F000-memory.dmp

Filesize
12KB

Download
memory/4560-137-0x0000000006300000-0x0000000006392000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads