neshta | 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8

General

Target

76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
Size

2.7MB
MD5

30886a4a12473e0426dee2068c918487
SHA1

d5bec6ceafb4fd8c8a0834355c9451fc4c781497
SHA256

76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8
SHA512

342cf921f0447e670a99223547a98fcc572353342b87c3ef836a65bf8cb24f94a89421b10bd602eba4205e647871b40e2344a0d12a2215c58044eaaac6fb5853

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

pid process

4308 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

pid	process
4308	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

Drops file in Windows directory 1 IoCs

Processes:

76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

description ioc process

File opened for modification C:\Windows\svchost.com 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4780 4308 WerFault.exe 76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

pid	pid_target	process	target process
4780	4308	WerFault.exe	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

Modifies registry class 1 IoCs

Processes:

76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

description	pid	process	target process
PID 4164 wrote to memory of 4308	4164	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
PID 4164 wrote to memory of 4308	4164	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe	76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe

C:\Users\Admin\AppData\Local\Temp\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
"C:\Users\Admin\AppData\Local\Temp\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\3582-490\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe"
2⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4308 -s 1012
3⤵
- Program crash
PID:4780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4308 -ip 4308
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
Filesize
2.0MB

MD5
8176d0d1d53a67e0dc411e1344fceafe

SHA1
9b9e122b2fd902b69a46c7c8d18eeaf03bae593c

SHA256
4ba6a825975e9c9480b8cce72f711f768faed3c8b09828b8c54b5427279eda27

SHA512
3a91e0a9cf4a720e90c31fbd2a3c01174dfbe259e2e89ddb83013c971d1b0b1676577673ab496115d5c312e3d705432e9a81e402865add260ebf24647bc3ec4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\76ffc61f60a6ba06f93e9b29430fafb20cf900f35bb76cf068b9f100fc4d2ad8.exe
Filesize
2.0MB

MD5
3f82c3a400adfe27d5b390da886669c1

SHA1
a557ec9223e211ae905685c93045e92798e79077

SHA256
798871abc2179797b919a39b7d4469070c3c4e52bfde0ee190c19a58f42fe04e

SHA512
a27604c50ea67213822ff24a6dd2875396f37abf2392747c7059e20fa82cac9fed2ad0c1e4c47734e4744b8424386b893e4c47449c38eb197b2810354907d97c

Download Submit
memory/4308-130-0x0000000000000000-mapping.dmp

Download
memory/4308-133-0x0000000000210000-0x00000000004C8000-memory.dmp

Filesize
2.7MB

Download
memory/4308-134-0x00007FFB4FB80000-0x00007FFB50641000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads