neshta | acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3

General

Target

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
Size

212KB
MD5

1b5179dd7832afc0ba092c0e80f21450
SHA1

5cce39b3e85c432c2ad135874e11d759b133789f
SHA256

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3
SHA512

395f7334432e9e377688d707786be28646214bf1abbcdb2f6dc143d5e9d267414732a47bebbf9e146552d4f713cfe6115c7d69deb6b146814a24a311a3b44ab7
SSDEEP

3072:sr85Ckb7XSAF/+E7eKb/mqz7u3F4VkU3QRFeJDK+90X:k9IDSAF/7eKlzy3KCIgeJSX

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

pid process

4132 acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

pid	process
4132	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

Drops file in Windows directory 1 IoCs

Processes:

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

description ioc process

File opened for modification C:\Windows\svchost.com acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

Modifies registry class 1 IoCs

Processes:

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

description	pid	process	target process
PID 4788 wrote to memory of 4132	4788	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
PID 4788 wrote to memory of 4132	4788	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
PID 4788 wrote to memory of 4132	4788	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe	acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

C:\Users\Admin\AppData\Local\Temp\acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
"C:\Users\Admin\AppData\Local\Temp\acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\3582-490\acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe"
2⤵
- Executes dropped EXE
PID:4132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

Filesize
171KB

MD5
8ab7aa6286f2919518495597d7134fdb

SHA1
6e017e8bcd2e91027bb9dfef993d6896fbcb2192

SHA256
aa6398b539dbe090f0a62ba7c38acd44551f8e75dba58e40b3d0c97c0c8a7ee4

SHA512
9762276a2b96112221fd0db46441783d306010c9977cfe1185e014d0a76a14c6d472bf5a8bea931ab6d57a82193da15e10598e92083ba1f2ab67a035b5c0b6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\acf99f5ae92cfe459fbbebe689f60a8b9aff04b8ce988100750f7c36472441b3.exe

Filesize
171KB

MD5
8ab7aa6286f2919518495597d7134fdb

SHA1
6e017e8bcd2e91027bb9dfef993d6896fbcb2192

SHA256
aa6398b539dbe090f0a62ba7c38acd44551f8e75dba58e40b3d0c97c0c8a7ee4

SHA512
9762276a2b96112221fd0db46441783d306010c9977cfe1185e014d0a76a14c6d472bf5a8bea931ab6d57a82193da15e10598e92083ba1f2ab67a035b5c0b6c6

Download Submit
memory/4132-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads