neshta | 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e

General

Target

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
Size

562KB
MD5

4bf385ae946b98e2679998ce449c2474
SHA1

c6a097bd4174d9cc319972ef00c22ee891b839f7
SHA256

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e
SHA512

3ed10d09d750f200fc155672c7d7ba21ed4e230cd0eaae4634327770984831c489bb3967e55b263fe54280a47a7c5a5abfad5e627a69a7d7064ce3f4d55c9a9c

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 2 IoCs

Processes:

resource	yara_rule
C:\odt\office2016setup.exe	family_neshta
C:\Users\Admin\AppData\Roaming\Ground.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

pid process

3144 69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

pid	process
3144	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\gchrome_proxy.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\gDW20.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\7-Zip\g7z.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjrunscript.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\geqnedt32.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\gIntegratedOffice.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\gelevation_service.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\gchrmstp.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\gAppVShNotify.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\gchrome.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gextcheck.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjconsole.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gidlj.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\gSQLDumper.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\gMavInject32.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCXA4F.tmp	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\gSQLDumper.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\gSQLDumper.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjava-rmi.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\7-Zip\g7zFM.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjava-rmi.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjavap.ico	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjhat.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

Drops file in Windows directory 2 IoCs

Processes:

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
File opened for modification	C:\Windows\bfsvc.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

description	pid	process	target process
PID 4460 wrote to memory of 3144	4460	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
PID 4460 wrote to memory of 3144	4460	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
PID 4460 wrote to memory of 3144	4460	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe	69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe

C:\Users\Admin\AppData\Local\Temp\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
"C:\Users\Admin\AppData\Local\Temp\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\3582-490\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
Filesize
521KB

MD5
4dd7aaab9842afd62abfd1dea54088a9

SHA1
86128fa917b8ad84da7b0468d6fe011c05c69bfc

SHA256
6b2fe92e9c5c271f76c080a63f472f545ed2c94a8a787774a84017786d91aa51

SHA512
af78d47b727ab880402d171c6824592b9e9824fc6759bfb77e87ce610dc510c25fe82750dc995a95e41a5aea583c617e02f3180571f5fd846bda84e51c8621b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e.exe
Filesize
521KB

MD5
4dd7aaab9842afd62abfd1dea54088a9

SHA1
86128fa917b8ad84da7b0468d6fe011c05c69bfc

SHA256
6b2fe92e9c5c271f76c080a63f472f545ed2c94a8a787774a84017786d91aa51

SHA512
af78d47b727ab880402d171c6824592b9e9824fc6759bfb77e87ce610dc510c25fe82750dc995a95e41a5aea583c617e02f3180571f5fd846bda84e51c8621b5

Download Submit
C:\Users\Admin\AppData\Roaming\Ground.exe
Filesize
562KB

MD5
4bf385ae946b98e2679998ce449c2474

SHA1
c6a097bd4174d9cc319972ef00c22ee891b839f7

SHA256
69b09c1a5293a98eb460ca155a5b216eaf94ad2f377fcf56843205da949be24e

SHA512
3ed10d09d750f200fc155672c7d7ba21ed4e230cd0eaae4634327770984831c489bb3967e55b263fe54280a47a7c5a5abfad5e627a69a7d7064ce3f4d55c9a9c

Download Submit
C:\odt\office2016setup.exe
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/3144-130-0x0000000000000000-mapping.dmp

Download
memory/3144-133-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3144-134-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads