neshta | 4d6bee9938b85e65fabba0b920efcff479e565ebbdd91a7d6a631fa7475e9f74

General

Target

1.exe
Size

851KB
MD5

286099dac2f03c7764d9fc6d8c5e02e2
SHA1

eedd56af4f225f991eb63f37597d7ab6e4abeac7
SHA256

4d6bee9938b85e65fabba0b920efcff479e565ebbdd91a7d6a631fa7475e9f74
SHA512

63cf51afd8a4cf8c8afdb498dbf589b12b86c8b978313e9a41ad9dbf1f511cac55b938fa479b8d76e1330df7b7dd6c5be94759165467eb234d6dbc5380edc3b9

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1048-142-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1048-143-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1048-144-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1048-145-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1048-147-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1048-148-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	InstallUtil.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation 1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddhnvo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Wirkpkfbm\\Ddhnvo.exe\""	1.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9A050A08-4B42-49F9-B35B-87045164578F}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2954CD32-DCE7-4530-899B-28A397B528B8}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1.exe

description pid process target process

PID 4324 set thread context of 1048 4324 1.exe InstallUtil.exe

description	pid	process	target process
PID 4324 set thread context of 1048	4324	1.exe	InstallUtil.exe

Drops file in Program Files directory 64 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MICROS~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MI391D~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13163~1.19\MICROS~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MICROS~4.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MICROS~3.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MI9C33~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13163~1.19\MICROS~2.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	InstallUtil.exe

Drops file in Windows directory 1 IoCs

Processes:

InstallUtil.exe

description ioc process

File opened for modification C:\Windows\svchost.com InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	InstallUtil.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies registry class 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

1.exepowershell.exe

pid process

4324 1.exe
1264 powershell.exe
1264 powershell.exe
4324 1.exe
4324 1.exe
4324 1.exe
4324 1.exe
4324 1.exe
4324 1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4324 1.exe
Token: SeDebugPrivilege 1264 powershell.exe

pid	process
4324	1.exe
1264	powershell.exe
1264	powershell.exe
4324	1.exe
4324	1.exe
4324	1.exe
4324	1.exe
4324	1.exe
4324	1.exe

description	pid	process
Token: SeDebugPrivilege	4324	1.exe
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1.exe

description	pid	process	target process
PID 4324 wrote to memory of 1264	4324	1.exe	powershell.exe
PID 4324 wrote to memory of 1264	4324	1.exe	powershell.exe
PID 4324 wrote to memory of 1264	4324	1.exe	powershell.exe
PID 4324 wrote to memory of 1044	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1044	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1044	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe
PID 4324 wrote to memory of 1048	4324	1.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WIRKPK~1\Ddhnvo.exe

Filesize
891KB

MD5
2bae35cb37885221cf82174985f7854d

SHA1
0bd3a8e0c33f9b3104c78b67d44bad5d0fbb6303

SHA256
9bf43016236415af949773be2d6977c08e450f66efd95b83febf2148f8dc1307

SHA512
50bf9d587eb3d3df7ee4a41e8d87568a200f662c39213127a7893d3fd68830a8bc79940a1f8ba895b0e52057744532b6fe120b9214bf15ada13523ab16c6ff3f

Download Submit
memory/1044-140-0x0000000000000000-mapping.dmp

Download
memory/1048-148-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-142-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1048-141-0x0000000000000000-mapping.dmp

Download
memory/1264-134-0x0000000005170000-0x0000000005798000-memory.dmp

Filesize
6.2MB

Download
memory/1264-139-0x00000000065C0000-0x00000000065DA000-memory.dmp

Filesize
104KB

Download
memory/1264-138-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/1264-137-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/1264-136-0x0000000005A60000-0x0000000005AC6000-memory.dmp

Filesize
408KB

Download
memory/1264-135-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/1264-133-0x0000000004B00000-0x0000000004B36000-memory.dmp

Filesize
216KB

Download
memory/1264-132-0x0000000000000000-mapping.dmp

Download
memory/4324-130-0x0000000000EC0000-0x0000000000F9A000-memory.dmp

Filesize
872KB

Download
memory/4324-131-0x00000000059F0000-0x0000000005A12000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads