neshta | 647a6859da705b75801e74fdbb713c7f219b7b024bd0a08681003225bbb31cf8

General

Target

doc-file#98765678.exe
Size

865KB
MD5

5d31ff727ddebc94f37cff188c0fc3e7
SHA1

64b79513675b4421a1d6c36502a07d9395d3aa24
SHA256

72a9187d68249e63f4562b466013c4a77b622621a229249874572e667fb80b2e
SHA512

0bd7cd4e3cd6ec25908c75ead3a8e6ebe46258115b7a110f449b096eb009233a89474e8cde4eb281bf11c1e1cd85f4af643c6a4928e574fc2c25bd343e4f16e6
SSDEEP

12288:zAtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozEJ1888888888888W88888888W:zANzCtUpQ9WWPBSSRMTEpMNJj

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 2 IoCs

Processes:

resource	yara_rule
C:\odt\office2016setup.exe	family_neshta
C:\Users\Admin\Desktop\ASSERT~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

doc-file#98765678.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	doc-file#98765678.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

doc-file#98765678.exe

pid process

1552 doc-file#98765678.exe

pid	process
1552	doc-file#98765678.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

doc-file#98765678.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	doc-file#98765678.exe

Drops startup file 1 IoCs

Processes:

doc-file#98765678.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk doc-file#98765678.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

doc-file#98765678.exe

description ioc process

File opened for modification C:\autorun.inf doc-file#98765678.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk	doc-file#98765678.exe

description	ioc	process
File opened for modification	C:\autorun.inf	doc-file#98765678.exe

Drops file in Program Files directory 64 IoCs

Processes:

doc-file#98765678.exedoc-file#98765678.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjavah.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjcmd.exe	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	doc-file#98765678.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\vjabswitch.ico	doc-file#98765678.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	doc-file#98765678.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	doc-file#98765678.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vIntegratedOffice.ico	doc-file#98765678.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCXD41D.tmp	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vjdeps.ico	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	doc-file#98765678.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	doc-file#98765678.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\vnotification_helper.ico	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\vOSE.EXE	doc-file#98765678.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	doc-file#98765678.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCXDC5E.tmp	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjinfo.exe	doc-file#98765678.exe
File created	C:\Program Files\Google\Chrome\Application\vchrome_proxy.ico	doc-file#98765678.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	doc-file#98765678.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vMavInject32.exe	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vextcheck.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\vCLVIEW.EXE	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\RCXD266.tmp	doc-file#98765678.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vjmap.ico	doc-file#98765678.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RCXCB3A.tmp	doc-file#98765678.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	doc-file#98765678.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\vOSE.ico	doc-file#98765678.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\vmisc.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.exe	doc-file#98765678.exe
File created	C:\Program Files\VideoLAN\VLC\vuninstall.ico	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	doc-file#98765678.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vOfficeC2RClient.exe	doc-file#98765678.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vidlj.ico	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0	doc-file#98765678.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\vjabswitch.ico	doc-file#98765678.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	doc-file#98765678.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	doc-file#98765678.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui	doc-file#98765678.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vjjs.ico	doc-file#98765678.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	doc-file#98765678.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	doc-file#98765678.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	doc-file#98765678.exe

Drops file in Windows directory 2 IoCs

Processes:

doc-file#98765678.exedoc-file#98765678.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	doc-file#98765678.exe
File opened for modification	C:\Windows\bfsvc.exe	doc-file#98765678.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

doc-file#98765678.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	doc-file#98765678.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

doc-file#98765678.exe

description	pid	process	target process
PID 868 wrote to memory of 1552	868	doc-file#98765678.exe	doc-file#98765678.exe
PID 868 wrote to memory of 1552	868	doc-file#98765678.exe	doc-file#98765678.exe
PID 868 wrote to memory of 1552	868	doc-file#98765678.exe	doc-file#98765678.exe

C:\Users\Admin\AppData\Local\Temp\doc-file#98765678.exe
"C:\Users\Admin\AppData\Local\Temp\doc-file#98765678.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\3582-490\doc-file#98765678.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\doc-file#98765678.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\doc-file#98765678.exe

Filesize
824KB

MD5
ef022abab9148a89477c6ef69986245e

SHA1
3594bf72178d5b25d1d1ea961066c66a351d778b

SHA256
ee541918a4c3b9b7e84e29dae647d56fcdb64daa62a369a827ee629fe9352f1a

SHA512
5ca980cb99ef842fc02ff862db5b026a61bafd4a73b5c6f081632fa12d322fe197aa80d2e0e20c7dee1e135e235cbaa5e4326b7a894da93119250c89fbfa2321

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\doc-file#98765678.exe

Filesize
824KB

MD5
ef022abab9148a89477c6ef69986245e

SHA1
3594bf72178d5b25d1d1ea961066c66a351d778b

SHA256
ee541918a4c3b9b7e84e29dae647d56fcdb64daa62a369a827ee629fe9352f1a

SHA512
5ca980cb99ef842fc02ff862db5b026a61bafd4a73b5c6f081632fa12d322fe197aa80d2e0e20c7dee1e135e235cbaa5e4326b7a894da93119250c89fbfa2321

Download Submit
C:\Users\Admin\AppData\Roaming\Paint.exe

Filesize
865KB

MD5
504020947f049b4f976487d384b6511c

SHA1
23c39daf9f5a271af36378917c0a940b74385c83

SHA256
04a80b44617d3aeaedaaec43b8facd7b3adb7768aeec0eb329034db622b9ee07

SHA512
b69aa72200a5b74145054061276543552b34fe8ce0807d320e895422ae81559d648ce03995f688601c87f701e3a429188fe16132e4b96826026b2ff525828e98

Download Submit
C:\Users\Admin\Desktop\ASSERT~1.EXE

Filesize
865KB

MD5
5d31ff727ddebc94f37cff188c0fc3e7

SHA1
64b79513675b4421a1d6c36502a07d9395d3aa24

SHA256
72a9187d68249e63f4562b466013c4a77b622621a229249874572e667fb80b2e

SHA512
0bd7cd4e3cd6ec25908c75ead3a8e6ebe46258115b7a110f449b096eb009233a89474e8cde4eb281bf11c1e1cd85f4af643c6a4928e574fc2c25bd343e4f16e6

Download Submit
C:\odt\office2016setup.exe

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/1552-132-0x0000000000000000-mapping.dmp

Download
memory/1552-135-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1552-137-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads