neshta | f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0

General

Target

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
Size

359KB
MD5

1450bc93ed21158c31c518cd9162e500
SHA1

b61b9cf8e942d4f77e8ba83b8bec539c6c12e0bc
SHA256

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0
SHA512

8606dc663914d87f5e1a954e3cda69ac57aaf4a537a273f08808dca9b33539f2787516183cf27022130981c656b399e41e4d346f6c01a260a10e004ac90cfb6d
SSDEEP

6144:PudtYabOmaEa1r3JHHwe3PfcKrKywz/0K9fqUme9fqUm3:8YaSrYWdGyS0K9fqs9fqx

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

pid process

832 f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

pid	process
832	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~3.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~2.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI9C33~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MIA062~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI391D~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13169~1.31\MICROS~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

Drops file in Windows directory 1 IoCs

Processes:

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

description ioc process

File opened for modification C:\Windows\svchost.com f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

Modifies registry class 1 IoCs

Processes:

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

description	pid	process	target process
PID 4272 wrote to memory of 832	4272	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
PID 4272 wrote to memory of 832	4272	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
PID 4272 wrote to memory of 832	4272	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe	f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe

C:\Users\Admin\AppData\Local\Temp\f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
"C:\Users\Admin\AppData\Local\Temp\f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4272

C:\Users\Admin\AppData\Local\Temp\3582-490\f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe"
2⤵
- Executes dropped EXE
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
Filesize
319KB

MD5
bb06d442f1e67fe8098902de09870a3a

SHA1
2dc823ee61a7b553cd894506092af12a4decc00d

SHA256
dfb919955f82a488d094657a3ab315cd6a70400a418dd1bd08e1bff1397e03be

SHA512
0766e74e4cebf7795a9c68e3174c6896259e7575f6beb6d074daa80edb3f2b2e6d5f3555632c30dfeb98c949529efd5b453ca7fe91661dd6c5d98095fb0df226

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\f453ddee13f6c253a6371d4cf5a7eeabc422ec20648f3cff59bd83d09f419da0.exe
Filesize
319KB

MD5
bb06d442f1e67fe8098902de09870a3a

SHA1
2dc823ee61a7b553cd894506092af12a4decc00d

SHA256
dfb919955f82a488d094657a3ab315cd6a70400a418dd1bd08e1bff1397e03be

SHA512
0766e74e4cebf7795a9c68e3174c6896259e7575f6beb6d074daa80edb3f2b2e6d5f3555632c30dfeb98c949529efd5b453ca7fe91661dd6c5d98095fb0df226

Download Submit
memory/832-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads