neshta | 20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710

General

Target

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
Size

260KB
MD5

1f26e84d20cccb8673f7d6cf86f2a02d
SHA1

deeb9c038993ca58456c14744486d3764114f35e
SHA256

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710
SHA512

db2b2aaab053003fe9b4d2d7af9a6a740ff21014bd803a4f79193d572265f35a98668f5504692ecd304f48c38eee363415f0c5424841b7245b45fe948a0243a9

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

pid process

4112 20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~4.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MIA062~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

Drops file in Windows directory 1 IoCs

Processes:

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

description ioc process

File opened for modification C:\Windows\svchost.com 20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

Modifies registry class 1 IoCs

Processes:

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

pid	process
4112	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
4112	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

description	pid	process	target process
PID 4132 wrote to memory of 4112	4132	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
PID 4132 wrote to memory of 4112	4132	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
PID 4132 wrote to memory of 4112	4132	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe	20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe

C:\Users\Admin\AppData\Local\Temp\20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
"C:\Users\Admin\AppData\Local\Temp\20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4132

C:\Users\Admin\AppData\Local\Temp\3582-490\20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
Filesize
220KB

MD5
154d65ba22bf6aa3a415c482f335a69a

SHA1
267e4d5c534e1b4e547b298c403f56a17d863195

SHA256
49c47177e29d2ab5152e222ead81c8a78b97e5adb391f68bf3956b1e47c69dea

SHA512
8f094e88025b80f96253f825fdec9ab8a06e68f90d9983cb9771dcaf32083e14686ead0f7039fb362c4186fadb3dbdb7a0ff60e387aef9f2c952268ba40e5a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\20b0bc090117ec0dcde7df4002ab3b89dee31103c45e6eece77908324abb4710.exe
Filesize
220KB

MD5
154d65ba22bf6aa3a415c482f335a69a

SHA1
267e4d5c534e1b4e547b298c403f56a17d863195

SHA256
49c47177e29d2ab5152e222ead81c8a78b97e5adb391f68bf3956b1e47c69dea

SHA512
8f094e88025b80f96253f825fdec9ab8a06e68f90d9983cb9771dcaf32083e14686ead0f7039fb362c4186fadb3dbdb7a0ff60e387aef9f2c952268ba40e5a1f

Download Submit
memory/4112-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads