neshta | d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 21:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
Size

127KB
MD5

05995838b83f0abd6bb59f8bbe14ef00
SHA1

a53a150517a4118151580fb0b846cc098f3f614c
SHA256

d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee
SHA512

3b6731bc8be1c14b862f871d940fea168a30f674a62cbc823fea0306a2ab52a9da9140c75ea357070241326b5033cb6c3f40aa398e76beafad5536d11441b946
SSDEEP

1536:JxqjQ+P04wsmJCuMKJ3j5kLaT576SM3l0TcnM45QBejSRIZGra0WvKSr:sr85CuZ3VHd2z3UcM45ZGIEhSKC

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 1 IoCs

pid	Process
4316	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4316	2796	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe	83
PID 2796 wrote to memory of 4316	2796	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe	83
PID 2796 wrote to memory of 4316	2796	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe	83
PID 4316 wrote to memory of 4940	4316	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe	84
PID 4316 wrote to memory of 4940	4316	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe	84
PID 4316 wrote to memory of 4940	4316	d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe	84

C:\Users\Admin\AppData\Local\Temp\d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
"C:\Users\Admin\AppData\Local\Temp\d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\3582-490\d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a96619.bat "C:\Users\Admin\AppData\Local\Temp\3582-490\d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe"
    3⤵
    PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe

Filesize
87KB

MD5
5c10e7da7a833d6c81df9636d57c58e9

SHA1
3785d9ad31555c0fae58dd2c65af96be7f2f7323

SHA256
1db7189edf79a5d69c17219fa36d35752eaa5306d23835428aa3653bf6a18cb5

SHA512
129e30217dab79bd3b666f849eb84b402982f77db06bbb3b078fd694c7d0f2664f9a59a4ef46edd5699c9d350e1c047648ed83ddce3dbd6179b3ccee33db52d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\d4521eb31d41307d254465e86777d0fe78d95dc7db68d464adb54518670c10ee.exe

Filesize
87KB

MD5
5c10e7da7a833d6c81df9636d57c58e9

SHA1
3785d9ad31555c0fae58dd2c65af96be7f2f7323

SHA256
1db7189edf79a5d69c17219fa36d35752eaa5306d23835428aa3653bf6a18cb5

SHA512
129e30217dab79bd3b666f849eb84b402982f77db06bbb3b078fd694c7d0f2664f9a59a4ef46edd5699c9d350e1c047648ed83ddce3dbd6179b3ccee33db52d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a96619.bat

Filesize
57B

MD5
acce5ca0e1fac8ca8e7c1d77724f78de

SHA1
2e3335d667f21805809daed25e931c6f3f396aa4

SHA256
57786a30754d8b1ac5747d6cc9b48857fff5168148c5b75645c83350d9353f62

SHA512
75a1d7493819d5065927fc528e46983ab44e23320b15d9da92d30322d70b1fdb5983a31b1a007896b8ba54a723f186303bc01beade89b7ef00cb28ddbb82bcc6

Download Submit