neshta | 7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749

General

Target

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
Size

731KB
MD5

91850432e54b74d679f38ea245efb989
SHA1

84f0ec6e081d98e4c9666a7dc995234ac088a611
SHA256

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749
SHA512

4e395731341b5963da868c44b4496bc2a2dd158de5802a427218eb757f5a799bb1f6c03adf28d5ce4dedfbbbbf825b421ce432b789faa8eb28b963f1d990490b
SSDEEP

12288:qAugAYhxHq9avUBHxf+gYSKAmMPzuDJXM23zzU:BAYzHq8eFYSKAmMPz+JXd3U

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

pid process

4840 7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

pid	process
4840	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

Drops file in Windows directory 1 IoCs

Processes:

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

description ioc process

File opened for modification C:\Windows\svchost.com 7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1696 3012 WerFault.exe 7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

pid	pid_target	process	target process
1696	3012	WerFault.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

Modifies registry class 1 IoCs

Processes:

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

description	pid	process	target process
PID 3012 wrote to memory of 4840	3012	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
PID 3012 wrote to memory of 4840	3012	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
PID 3012 wrote to memory of 4840	3012	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe	7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

C:\Users\Admin\AppData\Local\Temp\7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
"C:\Users\Admin\AppData\Local\Temp\7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 252
  2⤵
  - Program crash
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\3582-490\7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe"
  2⤵
  - Executes dropped EXE
  PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3012 -ip 3012
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

Filesize
690KB

MD5
b0476efdf5aba0f408a8fd705a704501

SHA1
7e7def2f8c145c893cd5659979ca072570ccb177

SHA256
028d25ac6536f2fea9e6d45c4271121258bb82e31f0d1b272b63eccf977050f2

SHA512
f94d9e78e92de669c2884ec92893f58e0940eccacee43ac5204197fb2067364fcf0e1c6ca8703b4fcae51d6cc426935cf067b6a3f916d4bf1e36575808a475e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\7dfa7d1d59b3f6cc0bfc99d7d11abd261e6281171a595e085259d9bbac6d4749.exe

Filesize
690KB

MD5
b0476efdf5aba0f408a8fd705a704501

SHA1
7e7def2f8c145c893cd5659979ca072570ccb177

SHA256
028d25ac6536f2fea9e6d45c4271121258bb82e31f0d1b272b63eccf977050f2

SHA512
f94d9e78e92de669c2884ec92893f58e0940eccacee43ac5204197fb2067364fcf0e1c6ca8703b4fcae51d6cc426935cf067b6a3f916d4bf1e36575808a475e4

Download Submit
memory/4840-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads