neshta | ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66

General

Target

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
Size

5.1MB
MD5

3bd3dbf2413f58ebc8c14f70cb8fa971
SHA1

f4b97872e84e7686a81f0a6024142b58eddaf9df
SHA256

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66
SHA512

7b65386c04693b12738c0ef6011857266ef39dc711f60d49af169b2874666a49eeab53debc59ddf03ac803c30b020ccfaaf671b40222f9316a675573424189e1

Score

10^/10

neshta persistence spyware stealer vmprotect

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4312-130-0x0000000000400000-0x0000000000C5C000-memory.dmp	vmprotect
behavioral2/memory/4312-132-0x0000000000400000-0x0000000000C5C000-memory.dmp	vmprotect
behavioral2/memory/4312-133-0x0000000000400000-0x0000000000C5C000-memory.dmp	vmprotect
behavioral2/memory/4312-134-0x0000000000400000-0x0000000000C5C000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

pid process

4312 ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

Drops file in Program Files directory 64 IoCs

Processes:

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~4.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

Drops file in Windows directory 1 IoCs

Processes:

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

description ioc process

File opened for modification C:\Windows\svchost.com ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

Modifies registry class 1 IoCs

Processes:

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

pid	process
4312	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
4312	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
4312	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
4312	ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe

C:\Users\Admin\AppData\Local\Temp\ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe
"C:\Users\Admin\AppData\Local\Temp\ea827737a0330d253102ed2ae77218147c741cd83e69e3f04ed4c165504bfc66.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4312-130-0x0000000000400000-0x0000000000C5C000-memory.dmp

Filesize
8.4MB

Download
memory/4312-132-0x0000000000400000-0x0000000000C5C000-memory.dmp

Filesize
8.4MB

Download
memory/4312-133-0x0000000000400000-0x0000000000C5C000-memory.dmp

Filesize
8.4MB

Download
memory/4312-134-0x0000000000400000-0x0000000000C5C000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads