neshta | 76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d

General

Target

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
Size

226KB
MD5

5e6f4494bbf9c04521bf3a0c9aad0e2e
SHA1

3ef1d5c8c743bd4d39bbd968249fb80f74fd80a2
SHA256

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d
SHA512

d86535f30f38f8b160eb5f37a0f681f7bcdcd5516652d2ddcfa0673c7c99f6a8b5ab60345ca3912b4dec6e311ac7b471262adae51ef72a07b0c262ad68eee727

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

pid process

1456 76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

pid	process
1456	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

Drops file in Windows directory 1 IoCs

Processes:

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

description ioc process

File opened for modification C:\Windows\svchost.com 76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

Modifies registry class 1 IoCs

Processes:

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

description	pid	process	target process
PID 1104 wrote to memory of 1456	1104	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
PID 1104 wrote to memory of 1456	1104	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
PID 1104 wrote to memory of 1456	1104	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe	76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

C:\Users\Admin\AppData\Local\Temp\76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
"C:\Users\Admin\AppData\Local\Temp\76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\3582-490\76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe"
  2⤵
  - Executes dropped EXE
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

Filesize
186KB

MD5
21cd656309c3a89c7c159c0f83628234

SHA1
7788916cecbd3c39ca5e1e1fa5b664318b9e2fc0

SHA256
62a7ab9a02a0b2324485255d84dd8c4da45a857a9ba8be5c076917c8960b43da

SHA512
052044df989c658a48061838ac9e02af1dfaa338cb8dcc96e8e244739a643e03efd1a28a4aee11fe073be0f4501a69d624b75ac097377252cfa9d5b9f89ef2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\76e0d5999d31c50c72851ee44906974529045c7acffda7cf5d96e6d25795c21d.exe

Filesize
186KB

MD5
21cd656309c3a89c7c159c0f83628234

SHA1
7788916cecbd3c39ca5e1e1fa5b664318b9e2fc0

SHA256
62a7ab9a02a0b2324485255d84dd8c4da45a857a9ba8be5c076917c8960b43da

SHA512
052044df989c658a48061838ac9e02af1dfaa338cb8dcc96e8e244739a643e03efd1a28a4aee11fe073be0f4501a69d624b75ac097377252cfa9d5b9f89ef2d8

Download Submit
memory/1456-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads