neshta | 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480

General

Target

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
Size

602KB
MD5

993b822d6ddede8b886635e88f83cf59
SHA1

01ec71e477dc29260e46ce2ee716a81a84eb176d
SHA256

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480
SHA512

37ebdb7192380410f69aaaec4f6f0ce681182fe7a0fb6183b8cd98aa842530e580751086ec421f985cc7ee58bba618bb4329fa957601150e910039ecf03634c9

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 2 IoCs

Processes:

resource	yara_rule
C:\odt\office2016setup.exe	family_neshta
C:\Users\Admin\AppData\Roaming\Ground.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

pid process

2676 52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

pid	process
2676	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjinfo.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\gappvcleaner.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\gSmartTagInstall.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjcmd.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjdeps.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjavah.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjstat.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\gAppSharingHookController.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\gaccicons.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\gAppVDllSurrogate32.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gappletviewer.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjstatd.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\7-Zip\g7zFM.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\7-Zip\gUninstall.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\gSmartTagInstall.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\gchrome.exe.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\gnotification_helper.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\gchrome_proxy.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjstat.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\gFLTLDR.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\gmisc.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\gmisc.ico	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.exe.sig	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

Drops file in Windows directory 2 IoCs

Processes:

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
File opened for modification	C:\Windows\bfsvc.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

description	pid	process	target process
PID 660 wrote to memory of 2676	660	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
PID 660 wrote to memory of 2676	660	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
PID 660 wrote to memory of 2676	660	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe	52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe

C:\Users\Admin\AppData\Local\Temp\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
"C:\Users\Admin\AppData\Local\Temp\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\3582-490\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
Filesize
562KB

MD5
be3ae6a678ccd948d3f0bfccdf314148

SHA1
0734c70c1ae5a1b40684e9a6ba36d8afaf01aed1

SHA256
881cd1d326dd557a5b27ba322df35e8cd51d3be2f90ef427d19e1ca7cc245c94

SHA512
439ece7c9ba256dbf97bba2852ac157f4ed8f20503aa08144c6719e47986961b9d1f4d02e80846bec0da81dfcc0cd38e20084385e00b4bbd96d0292f991cf6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480.exe
Filesize
562KB

MD5
be3ae6a678ccd948d3f0bfccdf314148

SHA1
0734c70c1ae5a1b40684e9a6ba36d8afaf01aed1

SHA256
881cd1d326dd557a5b27ba322df35e8cd51d3be2f90ef427d19e1ca7cc245c94

SHA512
439ece7c9ba256dbf97bba2852ac157f4ed8f20503aa08144c6719e47986961b9d1f4d02e80846bec0da81dfcc0cd38e20084385e00b4bbd96d0292f991cf6c4

Download Submit
C:\Users\Admin\AppData\Roaming\Ground.exe
Filesize
602KB

MD5
993b822d6ddede8b886635e88f83cf59

SHA1
01ec71e477dc29260e46ce2ee716a81a84eb176d

SHA256
52865401637ababe754cc70a57b58b1183fb6036d9a63b14bdde08d3ee666480

SHA512
37ebdb7192380410f69aaaec4f6f0ce681182fe7a0fb6183b8cd98aa842530e580751086ec421f985cc7ee58bba618bb4329fa957601150e910039ecf03634c9

Download Submit
C:\odt\office2016setup.exe
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/2676-130-0x0000000000000000-mapping.dmp

Download
memory/2676-133-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2676-136-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads