neshta | 6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd

General

Target

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
Size

1.4MB
MD5

697e3b4b6dd79bfd1d428ddbd73c0a4b
SHA1

9f9ed8a9b06f37d4074123cf1aa75147dc63ce88
SHA256

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd
SHA512

ab64ac78c3e7b7f4206347915da558915ce70f64d27c0e941cf5baa26bce7c1c5fe650048bbf120c8cd827e6ecee9eaebe7e4de768716a6ed6b744a0d9c6e7a4

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

pid process

4520 6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

pid	process
4520	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_it.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_zh-TW.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_th.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\psuser.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_en.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_lv.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_sr.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\GoogleUpdateComRegisterShell64.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_fa.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_de.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdate.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_pt-BR.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_ur.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_am.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MIA062~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_da.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MICROS~3.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_pt-PT.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_id.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Temp\EU39.tmp\MIF4FD~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\GoogleUpdateBroker.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\psmachine.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_mr.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\GoogleUpdate.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_cs.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_es.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
File created	C:\Program Files (x86)\GUMC2C8.tmp\goopdateres_ko.dll	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

Drops file in Windows directory 1 IoCs

Processes:

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

description ioc process

File opened for modification C:\Windows\svchost.com 6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

Modifies registry class 1 IoCs

Processes:

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

description	pid	process	target process
PID 3128 wrote to memory of 4520	3128	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
PID 3128 wrote to memory of 4520	3128	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
PID 3128 wrote to memory of 4520	3128	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe	6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

C:\Users\Admin\AppData\Local\Temp\6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
"C:\Users\Admin\AppData\Local\Temp\6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\3582-490\6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

Filesize
1.4MB

MD5
4a7ad58ec90ee2fa4784368c535b37dd

SHA1
07303d4c198d1cdc87769b7bc6323499be90fddf

SHA256
22d862d24f218eadceeef01673c3c05baecba666eb89aed4d9bdc6003decc1af

SHA512
dc9a31d12c1a92c91929b02324e5cf4395bc4c3bc068eba10dae2c8c228a4e47b1ad81aa8bbdf17bc3174e900de2c6e535bdf8130ece0f392c8bbba1ea71a5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6109b8a728aa9c79ece857052b0d873d3910318e9ceac9b470c32e2afe6114dd.exe

Filesize
1.4MB

MD5
4a7ad58ec90ee2fa4784368c535b37dd

SHA1
07303d4c198d1cdc87769b7bc6323499be90fddf

SHA256
22d862d24f218eadceeef01673c3c05baecba666eb89aed4d9bdc6003decc1af

SHA512
dc9a31d12c1a92c91929b02324e5cf4395bc4c3bc068eba10dae2c8c228a4e47b1ad81aa8bbdf17bc3174e900de2c6e535bdf8130ece0f392c8bbba1ea71a5cd

Download Submit
memory/4520-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads