neshta | 28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05

General

Target

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
Size

311KB
MD5

007ab1ad3d205f93b324075316791446
SHA1

4c16cedc2941fa8252b515f677552b8fe9f82fac
SHA256

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05
SHA512

ca287b85c5e24176f58d98227d2c73b3b312060bff7f7b39500f1500c832894e346a3a41347911d0dd7fa8187bf230502a05dd80fda5413cdb30dba9e103d987

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

pid process

1928 28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

pid	process
1928	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

Drops file in Windows directory 1 IoCs

Processes:

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

description ioc process

File opened for modification C:\Windows\svchost.com 28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

Modifies registry class 1 IoCs

Processes:

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

description	pid	process	target process
PID 1544 wrote to memory of 1928	1544	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
PID 1544 wrote to memory of 1928	1544	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe	28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

C:\Users\Admin\AppData\Local\Temp\28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
"C:\Users\Admin\AppData\Local\Temp\28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\3582-490\28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe"
  2⤵
  - Executes dropped EXE
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\28764903dfe614f2f5e766d2072ddf12edd9c18ce21f6fa8e8302d1a2d423d05.exe

Filesize
270KB

MD5
77c4010d9cf8adf0823f1775984e8881

SHA1
ff9ddb0ca1fe1cf87ed0daae4379bd91d4912095

SHA256
3474bd12b60653cc0831c93f0d61c9c23a57ff2bb16791431340f395cb5238e2

SHA512
05e989787875db2120138ead1bdacea0b6218613005ec84d0d636554fd7c154310c758de78282f9fd68c9058876b325767e47474bc0e0bfdf81f8cea2bc5790d

Download Submit
memory/1928-130-0x0000000000000000-mapping.dmp

Download
memory/1928-136-0x0000016F5CCC0000-0x0000016F5DCC0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads