neshta | 86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d

Analysis

max time kernel
1s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Size

338KB
MD5

39e4a765f9f5bd83bafb10167abe3d3b
SHA1

7661eb228a62c9076cb954a207f452b4934947f1
SHA256

86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d
SHA512

f02604a7762bdc559b45a51a4336fba8091aed6b11d78dfc4bc48728fbfa39485ae54196fe8b5115310b0ae6d1ff35eaba00ea2e01d307f8ef9935c3eba4b067

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

pid process

1544 86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Loads dropped DLL 1 IoCs

Processes:

86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

pid process

1696 86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Drops file in Windows directory 1 IoCs

Processes:

86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

description ioc process

File opened for modification C:\Windows\svchost.com 86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1432 1544 WerFault.exe 86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

pid	process
1544	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

pid	process
1696	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

pid	pid_target	process	target process
1432	1544	WerFault.exe	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

Modifies registry class 1 IoCs

Processes:

86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

description	pid	process	target process
PID 1696 wrote to memory of 1544	1696	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
PID 1696 wrote to memory of 1544	1696	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
PID 1696 wrote to memory of 1544	1696	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
PID 1696 wrote to memory of 1544	1696	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe	86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe

C:\Users\Admin\AppData\Local\Temp\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
"C:\Users\Admin\AppData\Local\Temp\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe"
2⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 552
3⤵
- Program crash
PID:1432

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Filesize
60KB

MD5
2a21d8245c56ca4761f9c71621d613e4

SHA1
7368ce627c0b1c5d0fc2527cdc14b7c809b6fb15

SHA256
bac9582f4cc46067b57e73ef11133a80b918bc39d75ff0b58d8b2efbb06d5965

SHA512
c946c5cfba5ec5d76b40092b7df1b92645994564d6d3a57ed5ff50f6c3d8593597324e3f8e2647a4b0b76c4f2d88c090ae94909c78e7b3bccacc135c7f33dcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Filesize
105KB

MD5
b620c073380871b496b3b9b499e09719

SHA1
7935a2aa3140624baf958d30a6e63b8a0258eb17

SHA256
455a8e8f60b9205c70e196ca4644b9c029e8e50a80595ca9cb48843f20826d1f

SHA512
8e5dbd27beb5c1733a0f22dc8854215f21afc862a00f331c200ad3f789c2fe7e6c959a2ed9e5e9899d43da2b8f6edf97b0b3a0d5e36cc43049d2a3a406423a90

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
46KB

MD5
b7829e32bfab37fba482273cf24aa8ab

SHA1
ee4391f95b85a58d08871d1016977cadc7cef83c

SHA256
f5e235891f4aa230c059ef50962f48722a014d6728e2c4c4e159c28143db3859

SHA512
34a58d2f9b012f9d1ae87707908903e0d902c4f00e6a8a652ff51dd212e1c4eb6ff5a44d4aba5bc9a65fd12711b9f355d6b46fdebf37b7c4b70d88c569a9a2f1

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Filesize
34KB

MD5
39c71fa713900e974c3574eb41eae069

SHA1
08b11c416aef599c9f1d860397ca1b3a0b35f5be

SHA256
18c4af0cb10b153e985283c0f73a9363b80f0588085fa336717e95eb4ce9e792

SHA512
0a50383679b35a34225431f92f73eff14f666c5ca0cce95ebc95ac65b91cf4678b8e8c4fac6cd8da78fcf35f0b7262065b2c4adf11215c3f7eb786e2f8a9fd74

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Filesize
60KB

MD5
57fa12c7d8ade54624bda7d47a043c1a

SHA1
a5ef5a6c72423442eb53db01a87bea924aaed07d

SHA256
231bae9c0655f3418ad13dc22dd35b1ddd41b9e048f4c078cb6516c8963ce75a

SHA512
88e318a08e9973876d9e9a09a93fa06436b5b159d72de8e909b19401b7092f2d21320fa27a71aee86133b54e6b3bf6369150571e1f819844ea2abae6ff0023b0

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Filesize
108KB

MD5
ceadba92743781f8f3f29947b7abcbeb

SHA1
11c265dab43cc5088e7bb633086c3f04151c352e

SHA256
affd292aa3711acaa821a1d5e80b99cfcf975b15d9f532451a4e88de524b7d45

SHA512
5b06e5875257504417779b1830fe516961c7f987e7d3dfb377c42a3babe6afc3fd705cc37dcdf6d7c78e365f98c3297b6f28c5a4eec489b6f826708121dec00f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Filesize
88KB

MD5
57e94f8dd764ed188c846df8a6c7855c

SHA1
96e49981fa93d06fe1d499b790ccc30ae3fd1f7b

SHA256
2007ef36690ebd0368560a0a532ea11bc7fb6e3bcf59e795b35920b999855b85

SHA512
44cdfae25c0fa24382d63c4a0fa77e1a32adedfe69138e90a4789c856190082e86f273b33f479e6add250b3bf6ff90ba89c09218663d09f12c881626914668a3

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Filesize
66KB

MD5
a2f318baa64e5f8417a978d8b7f7acf0

SHA1
f30e8a2ca697b7e3ad932cc36951bd0a6a784bcb

SHA256
291bdf42a23f90a8a7ace99be37e9e474aebcee607ea05e31b888842603712c7

SHA512
223b669f5b43477501dd6c02c2350e27f67d270f052595b651c3b6faddf7a19acf7e622380603743f144cf4c0f4c6cb82b5b4f09b6d981f91819fb96c0cd51e1

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\86e8d22906fd550d52dcc6c2352b2c1a3eb6798c1010ae2424a6523f89dfb34d.exe
Filesize
69KB

MD5
1c79850ddd8f593f78664aef4dfdd571

SHA1
826401a3c6db4783385be1b9251246d65083e9e7

SHA256
b86c6e2e4faf8229dfd5aafa069796d037055ab7bf7d7ee42facd98f8f5be7cf

SHA512
5511012b58a35b237ede8811ac0aea25ea4dfb080ddc18f0341b6bb17e030575f7115e7d16968dcc0adfcc3fe103ed5b8e0a46f0f5fa11869a44a809da627fb4

Download Submit
memory/1432-60-0x0000000000000000-mapping.dmp

Download
memory/1544-59-0x0000000001280000-0x00000000012D0000-memory.dmp

Filesize
320KB

Download
memory/1544-56-0x0000000000000000-mapping.dmp

Download
memory/1696-54-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads