Analysis Overview
SHA256
37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9
Threat Level: Known bad
The file 37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9 was found to be: Known bad.
Malicious Activity Summary
Modifies system executable filetype association
Neshta
Detect Neshta payload
Neshta family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-01 17:58
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-01 17:58
Reported
2022-10-01 18:11
Platform
win10v2004-20220812-en
Max time kernel
160s
Max time network
164s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe
"C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 20.224.254.73:443 | tcp | |
| IE | 13.69.239.72:443 | tcp |
Files
memory/2392-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe
| MD5 | ee50651e28162c424a59364778398630 |
| SHA1 | c74ad79064edf2b0ef61ed2025bc928a7b3a6668 |
| SHA256 | 825828caa01909a8263b65db9127e8103eaa72db9f919dbc0f841d17b5ba7a9e |
| SHA512 | f72465183dbca793c8c895cb0387646cc12b6914c712ee0af5ea6d68a1146cec259593daef497abe022fbedabe659e966b10e43b651e4244da1673b3be19ebe6 |
C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe
| MD5 | ee50651e28162c424a59364778398630 |
| SHA1 | c74ad79064edf2b0ef61ed2025bc928a7b3a6668 |
| SHA256 | 825828caa01909a8263b65db9127e8103eaa72db9f919dbc0f841d17b5ba7a9e |
| SHA512 | f72465183dbca793c8c895cb0387646cc12b6914c712ee0af5ea6d68a1146cec259593daef497abe022fbedabe659e966b10e43b651e4244da1673b3be19ebe6 |
memory/2392-135-0x0000000000400000-0x0000000000467000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-01 17:58
Reported
2022-10-01 18:12
Platform
win7-20220812-en
Max time kernel
163s
Max time network
47s
Command Line
Signatures
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe
"C:\Users\Admin\AppData\Local\Temp\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe"
Network
Files
memory/1104-54-0x0000000075D01000-0x0000000075D03000-memory.dmp
\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe
| MD5 | ee50651e28162c424a59364778398630 |
| SHA1 | c74ad79064edf2b0ef61ed2025bc928a7b3a6668 |
| SHA256 | 825828caa01909a8263b65db9127e8103eaa72db9f919dbc0f841d17b5ba7a9e |
| SHA512 | f72465183dbca793c8c895cb0387646cc12b6914c712ee0af5ea6d68a1146cec259593daef497abe022fbedabe659e966b10e43b651e4244da1673b3be19ebe6 |
memory/936-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\37fa8757aceda33ae6d1b2fc9866756b013c01dbc4eb0897517bf6bf278426c9.exe
| MD5 | ee50651e28162c424a59364778398630 |
| SHA1 | c74ad79064edf2b0ef61ed2025bc928a7b3a6668 |
| SHA256 | 825828caa01909a8263b65db9127e8103eaa72db9f919dbc0f841d17b5ba7a9e |
| SHA512 | f72465183dbca793c8c895cb0387646cc12b6914c712ee0af5ea6d68a1146cec259593daef497abe022fbedabe659e966b10e43b651e4244da1673b3be19ebe6 |
memory/936-59-0x0000000000400000-0x0000000000467000-memory.dmp
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |