neshta | fd8ecb99ecee0d54565a781a729ee7ad19203a5105820981d5e818c45d09f82f

General

Target

LIZ.exe
Size

86KB
MD5

208325c2e57a7d0c51d5b0ad2d7d8248
SHA1

2bfb81ff22483ddf16e0cd792f3cdc26799b0c3a
SHA256

fd8ecb99ecee0d54565a781a729ee7ad19203a5105820981d5e818c45d09f82f
SHA512

b8edb0a68dbc685a1b9bc99e83067fa6b69a0650decf1a189e405a61dc7fc192b36d2e6a51b7695069d3f31a794219a7816609ca6602c24e4d04cd3d699ceaa9

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

LIZ.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LIZ.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

LIZ.exe

pid process

1456 LIZ.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

LIZ.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation LIZ.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	LIZ.exe

pid	process
1456	LIZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	LIZ.exe

Drops file in Program Files directory 64 IoCs

Processes:

LIZ.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	LIZ.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~4.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	LIZ.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	LIZ.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	LIZ.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	LIZ.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	LIZ.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	LIZ.exe

Drops file in Windows directory 1 IoCs

Processes:

LIZ.exe

description ioc process

File opened for modification C:\Windows\svchost.com LIZ.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

LIZ.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LIZ.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	LIZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	LIZ.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

LIZ.exe

description	pid	process	target process
PID 2856 wrote to memory of 1456	2856	LIZ.exe	LIZ.exe
PID 2856 wrote to memory of 1456	2856	LIZ.exe	LIZ.exe
PID 2856 wrote to memory of 1456	2856	LIZ.exe	LIZ.exe

C:\Users\Admin\AppData\Local\Temp\LIZ.exe
"C:\Users\Admin\AppData\Local\Temp\LIZ.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exe"
2⤵
- Executes dropped EXE
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exe
Filesize
46KB

MD5
91d250c1e5c73c743b0e3becd2296969

SHA1
13952c214f73fb5ea56c0eca570faf8e45313b0f

SHA256
987c83dbf43df97430783c0098318cc6b1c41e52d460128746f7e89bd052ba5d

SHA512
b6cf1538bb2f5c82e9388579837b7d19777208d64284bf9495b7612e9e2de961ab6819fc6d4b538608343baab4c27c04897182d1dd95c215a1197c193b2f3857

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\LIZ.exe
Filesize
46KB

MD5
91d250c1e5c73c743b0e3becd2296969

SHA1
13952c214f73fb5ea56c0eca570faf8e45313b0f

SHA256
987c83dbf43df97430783c0098318cc6b1c41e52d460128746f7e89bd052ba5d

SHA512
b6cf1538bb2f5c82e9388579837b7d19777208d64284bf9495b7612e9e2de961ab6819fc6d4b538608343baab4c27c04897182d1dd95c215a1197c193b2f3857

Download Submit
memory/1456-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing