neshta | 002627ee9699b28cedc585da9a1bec3421da624eadcfc42bbb7f64471c8c770a

General

Target

Pre Alert Notice.exe
Size

2.1MB
MD5

66ec236f7e3706529af4c68b2d557507
SHA1

507f6c2309ed1bf9ccaf6f3cd9d77c9047732e0f
SHA256

002627ee9699b28cedc585da9a1bec3421da624eadcfc42bbb7f64471c8c770a
SHA512

e1b6155c4edd32d9109597c588a00052bcba3106cce377e7cc9ad2427463f658912ea87c278e75efe9dac56f6b3e2e9e2469795469cf9ce5c9ab626f23ee31a5

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3788-144-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3788-145-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3788-146-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3788-147-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3788-149-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3788-150-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	InstallUtil.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Pre Alert Notice.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Pre Alert Notice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Pre Alert Notice.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exjfj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Sdfwbjjt\\Exjfj.exe\""	Pre Alert Notice.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Pre Alert Notice.exe

description pid process target process

PID 2016 set thread context of 3788 2016 Pre Alert Notice.exe InstallUtil.exe

description	pid	process	target process
PID 2016 set thread context of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe

Drops file in Program Files directory 64 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	InstallUtil.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	InstallUtil.exe

Drops file in Windows directory 1 IoCs

Processes:

InstallUtil.exe

description ioc process

File opened for modification C:\Windows\svchost.com InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	InstallUtil.exe

Modifies registry class 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exePre Alert Notice.exe

pid	process
376	powershell.exe
376	powershell.exe
2016	Pre Alert Notice.exe
2016	Pre Alert Notice.exe
2016	Pre Alert Notice.exe
2016	Pre Alert Notice.exe
2016	Pre Alert Notice.exe
2016	Pre Alert Notice.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Pre Alert Notice.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2016 Pre Alert Notice.exe
Token: SeDebugPrivilege 376 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2016	Pre Alert Notice.exe
Token: SeDebugPrivilege	376	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Pre Alert Notice.exe

description	pid	process	target process
PID 2016 wrote to memory of 376	2016	Pre Alert Notice.exe	powershell.exe
PID 2016 wrote to memory of 376	2016	Pre Alert Notice.exe	powershell.exe
PID 2016 wrote to memory of 376	2016	Pre Alert Notice.exe	powershell.exe
PID 2016 wrote to memory of 4560	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 4560	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 4560	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe
PID 2016 wrote to memory of 3788	2016	Pre Alert Notice.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Pre Alert Notice.exe
"C:\Users\Admin\AppData\Local\Temp\Pre Alert Notice.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANwA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:4560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:3788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sdfwbjjt\Exjfj.exe

Filesize
2.2MB

MD5
be246f1439e5e473fb368512a2ba92f5

SHA1
5f23cec69a9e215f8730f75222c642921e1f7fe8

SHA256
5dd122e49f7482a7016e4802fc224533596b91a66a4c63a0f75a36f4641c960f

SHA512
537f70f91e9467b100ecf8129b74fb62efcbcd6f59c4c0a78601df1bb01e3f3407e9ac61098e8013ad3c34adfe0bff63727c05c87072342594158b989f0035ef

Download Submit
memory/376-139-0x0000000006700000-0x000000000671A000-memory.dmp

Filesize
104KB

Download
memory/376-132-0x0000000000000000-mapping.dmp

Download
memory/376-133-0x0000000004C10000-0x0000000004C46000-memory.dmp

Filesize
216KB

Download
memory/376-134-0x00000000052E0000-0x0000000005908000-memory.dmp

Filesize
6.2MB

Download
memory/376-135-0x0000000005B00000-0x0000000005B66000-memory.dmp

Filesize
408KB

Download
memory/376-136-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/376-137-0x00000000061F0000-0x000000000620E000-memory.dmp

Filesize
120KB

Download
memory/376-138-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/2016-140-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2016-130-0x0000000000410000-0x0000000000634000-memory.dmp

Filesize
2.1MB

Download
memory/2016-141-0x000000000CE10000-0x000000000D3B4000-memory.dmp

Filesize
5.6MB

Download
memory/2016-131-0x0000000005270000-0x0000000005292000-memory.dmp

Filesize
136KB

Download
memory/3788-143-0x0000000000000000-mapping.dmp

Download
memory/3788-144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3788-145-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3788-146-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3788-147-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3788-149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3788-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4560-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads