neshta | 741d106ef5db0d61b16df07eecb4054c432c2e152c25d3d3b6512148de1049ac

General

Target

tmp.exe
Size

377KB
MD5

c547b83eb19d7b7f3b452bb00f3af774
SHA1

9aa5a18b9cfaeccc91fe7f4d8015c10ed44bce92
SHA256

741d106ef5db0d61b16df07eecb4054c432c2e152c25d3d3b6512148de1049ac
SHA512

f3796167ba7fbc3f5d178da3588e2987cabc54c33b10d1bc5fd8cd24237bd972eac6b43c38bc1588828a8ca0f53cd328c5c591f6d2488319a9a26e9ac4a95442

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1756-130-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/1756-134-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/1756-135-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

tmp.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmp.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

4508 tmp.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation tmp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tmp.exe

pid	process
4508	tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	tmp.exe

Drops file in Program Files directory 64 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	tmp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~4.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	tmp.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	tmp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	tmp.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE	tmp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE	tmp.exe

Drops file in Windows directory 1 IoCs

Processes:

tmp.exe

description ioc process

File opened for modification C:\Windows\svchost.com tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

tmp.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" tmp.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1756 wrote to memory of 4508	1756	tmp.exe	tmp.exe
PID 1756 wrote to memory of 4508	1756	tmp.exe	tmp.exe
PID 1756 wrote to memory of 4508	1756	tmp.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe

Filesize
336KB

MD5
4724e888466f75a9342825103977822a

SHA1
26bd7335b3783fc5d1a69fabebcf164e3895b773

SHA256
6cb4c36711b19010654bf683a2ced1c3e8fb17710a9a7d08a7488bc0e2bfb273

SHA512
785f3d5c2d3ad6904261e3149c1852c662886f430cb48d8a2332c9c932192673a247471e38b90b87f591aa39817ef5b454307ad82f588318360ca5779d735478

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\tmp.exe

Filesize
336KB

MD5
4724e888466f75a9342825103977822a

SHA1
26bd7335b3783fc5d1a69fabebcf164e3895b773

SHA256
6cb4c36711b19010654bf683a2ced1c3e8fb17710a9a7d08a7488bc0e2bfb273

SHA512
785f3d5c2d3ad6904261e3149c1852c662886f430cb48d8a2332c9c932192673a247471e38b90b87f591aa39817ef5b454307ad82f588318360ca5779d735478

Download Submit
memory/1756-130-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1756-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1756-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4508-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads