neshta | ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82

General

Target

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
Size

85KB
MD5

49fe82fed15d3e3527ebc6c725e15ec0
SHA1

f3e26e38056804a001fec5e3f7c4fad10f6057c2
SHA256

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82
SHA512

8641f098e0df6ec9364ba93e45d6611f9bbd49bf8e2bea2fa68521b52710586391878a547f098f05bdac80b1a07d36dbedaae829f1d1358464c07a5d1b86712a
SSDEEP

1536:yxqjQ+P04wsZLnDrC/YNmCivHx8+nrLxPhel/sq:zr8WDrC+qHe+/bel0q

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

pid process

3384 ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

pid	process
3384	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

Drops file in Windows directory 1 IoCs

Processes:

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

description ioc process

File opened for modification C:\Windows\svchost.com ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

Modifies registry class 1 IoCs

Processes:

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

description	pid	process	target process
PID 2416 wrote to memory of 3384	2416	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
PID 2416 wrote to memory of 3384	2416	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
PID 2416 wrote to memory of 3384	2416	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe	ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe

C:\Users\Admin\AppData\Local\Temp\ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
"C:\Users\Admin\AppData\Local\Temp\ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\3582-490\ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe"
2⤵
- Executes dropped EXE
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
Filesize
45KB

MD5
97236558e9374fe56b7c7d05dee21b4d

SHA1
c7e96f5789c6175b476f04bacc5c9fad6efe9654

SHA256
e63d3e1f405a62b5358ccb3ce9d4337a2d0fab9c95598f530316bf17dea4956d

SHA512
e9aaaf521d9ee457b074da3beb26008821f970c23e608f8a8e0abf73ef016e0872db7d75b10a8719fd9d4857aa7093aa766c0eb3010a05ec4c9cd810a3487af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ddd6cf10bf1cf4e376407bd125d4444fad837e74f3d4b14f7470b5b086213c82.exe
Filesize
45KB

MD5
97236558e9374fe56b7c7d05dee21b4d

SHA1
c7e96f5789c6175b476f04bacc5c9fad6efe9654

SHA256
e63d3e1f405a62b5358ccb3ce9d4337a2d0fab9c95598f530316bf17dea4956d

SHA512
e9aaaf521d9ee457b074da3beb26008821f970c23e608f8a8e0abf73ef016e0872db7d75b10a8719fd9d4857aa7093aa766c0eb3010a05ec4c9cd810a3487af5

Download Submit
memory/3384-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads