neshta | ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594

General

Target

ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
Size

4.2MB
MD5

e1e261cf3c2c0b128cab982171468b74
SHA1

ee721c539932808cb3e4691ae94c6fd27ab9e53d
SHA256

ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594
SHA512

020f39f242e148540e20c25fcdf1dc52a0a112252262a14f6028f51ed174a7bf66480c8c99cafb8feea8c096dbfe8e5f95121cadbb0264133cd95ef033b9c6b3

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

pid process

4856 ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

pid	process
4856	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

Drops file in Windows directory 1 IoCs

Processes:

ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

description ioc process

File opened for modification C:\Windows\svchost.com ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

Modifies registry class 1 IoCs

Processes:

ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

description	pid	process	target process
PID 1848 wrote to memory of 4856	1848	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
PID 1848 wrote to memory of 4856	1848	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
PID 1848 wrote to memory of 4856	1848	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe	ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe

C:\Users\Admin\AppData\Local\Temp\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
"C:\Users\Admin\AppData\Local\Temp\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\3582-490\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe"
2⤵
- Executes dropped EXE
PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
Filesize
501KB

MD5
e5d76d029ef37c45411945a4c4083282

SHA1
975e4c15e6618bcecb483dd96c55e008f9b14341

SHA256
0fa230fff1d267b80b8afb6822dd3df567efea06b4e10b1f8449d5792a4394c5

SHA512
11014fab54b2ff8719035bc45cddf3b7a604aa66026544dd9b4bf42eced27cd47bcac07022121e40098266bfa5fcc6a754d591fc67b1aea384a1685eff2347ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ceb71afd28d54749a038387e2c9c4d189b0e2878428e6f62a20c34e8be701594.exe
Filesize
93KB

MD5
daf23df308246f667173127a55fbe463

SHA1
5f03005e9356e920dc9e5644918be293275f919b

SHA256
46c8d626674d408c991b55b9e01e7f2bff8a579826768cc902f463eac9701046

SHA512
9d4157d8d6744aa46dfb4717a3b81d70af7412fb4352b4f68661edd2dacbcaa57f42150c2ca709e02471aaa4b508eddcc1d1018f435d82a2694a02b3a4bd9937

Download Submit
memory/4856-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads