neshta | 8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 8 IoCs

Processes:

._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exeSynaptics.exe._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
4864	Synaptics.exe
4456	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
4492	icsys.icn.exe
4580	explorer.exe
608	spoolsv.exe
2592	svchost.exe
1764	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exeexplorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

spoolsv.exeexplorer.exesvchost.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

208 EXCEL.EXE

pid	process
208	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
4492	icsys.icn.exe
4492	icsys.icn.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
2592	svchost.exe
4580	explorer.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
4580	explorer.exe
2592	svchost.exe
2592	svchost.exe
4580	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

4580 explorer.exe
2592 svchost.exe

pid	process
4580	explorer.exe
2592	svchost.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeEXCEL.EXE

pid	process
1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
4492	icsys.icn.exe
4492	icsys.icn.exe
4580	explorer.exe
4580	explorer.exe
608	spoolsv.exe
608	spoolsv.exe
2592	svchost.exe
2592	svchost.exe
1764	spoolsv.exe
1764	spoolsv.exe
4580	explorer.exe
4580	explorer.exe
208	EXCEL.EXE
208	EXCEL.EXE
208	EXCEL.EXE
208	EXCEL.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3388 wrote to memory of 1648	3388	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
PID 3388 wrote to memory of 1648	3388	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
PID 3388 wrote to memory of 1648	3388	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
PID 3388 wrote to memory of 4864	3388	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	Synaptics.exe
PID 3388 wrote to memory of 4864	3388	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	Synaptics.exe
PID 3388 wrote to memory of 4864	3388	8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	Synaptics.exe
PID 1648 wrote to memory of 4456	1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
PID 1648 wrote to memory of 4456	1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
PID 1648 wrote to memory of 4456	1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
PID 1648 wrote to memory of 4492	1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	icsys.icn.exe
PID 1648 wrote to memory of 4492	1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	icsys.icn.exe
PID 1648 wrote to memory of 4492	1648	._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe	icsys.icn.exe
PID 4492 wrote to memory of 4580	4492	icsys.icn.exe	explorer.exe
PID 4492 wrote to memory of 4580	4492	icsys.icn.exe	explorer.exe
PID 4492 wrote to memory of 4580	4492	icsys.icn.exe	explorer.exe
PID 4580 wrote to memory of 608	4580	explorer.exe	spoolsv.exe
PID 4580 wrote to memory of 608	4580	explorer.exe	spoolsv.exe
PID 4580 wrote to memory of 608	4580	explorer.exe	spoolsv.exe
PID 608 wrote to memory of 2592	608	spoolsv.exe	svchost.exe
PID 608 wrote to memory of 2592	608	spoolsv.exe	svchost.exe
PID 608 wrote to memory of 2592	608	spoolsv.exe	svchost.exe
PID 2592 wrote to memory of 1764	2592	svchost.exe	spoolsv.exe
PID 2592 wrote to memory of 1764	2592	svchost.exe	spoolsv.exe
PID 2592 wrote to memory of 1764	2592	svchost.exe	spoolsv.exe
PID 2592 wrote to memory of 4232	2592	svchost.exe	at.exe
PID 2592 wrote to memory of 4232	2592	svchost.exe	at.exe
PID 2592 wrote to memory of 4232	2592	svchost.exe	at.exe
PID 2592 wrote to memory of 2100	2592	svchost.exe	at.exe
PID 2592 wrote to memory of 2100	2592	svchost.exe	at.exe
PID 2592 wrote to memory of 2100	2592	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
"C:\Users\Admin\AppData\Local\Temp\8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Local\Temp\._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

\??\c:\users\admin\appdata\local\temp\._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
c:\users\admin\appdata\local\temp\._cache_8196488884068411be672639c7ae161a22a82c347c0b7c4048e0a4ad131e4f07.exe
3⤵
- Executes dropped EXE
PID:4456

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\SysWOW64\at.exe
at 19:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:4232

C:\Windows\SysWOW64\at.exe
at 19:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:2100

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:4864

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

System Information Discovery