neshta | 40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c

General

Target

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
Size

720KB
MD5

497d0f9a206302613958832907c63cb0
SHA1

c51b1aa28b969bf1ac8318fa9f5b99831548d985
SHA256

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c
SHA512

b267f9ecf133fbb93bebc3adbf2fe12abc7b7d6638e9a268dac24b8262b09eeed318f47d347cdad17fccaeefd4646d78b39e384a0d5781cec951078371b5e42d
SSDEEP

12288:cvksLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqjxyR5:cvksLWtkrPi37NzHDA6Yg5dsfoTzsxyv

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

pid process

1392 40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

pid	process
1392	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13169~1.31\MICROS~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~3.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~2.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI9C33~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~4.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MIA062~1.EXE	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

Drops file in Windows directory 1 IoCs

Processes:

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

description ioc process

File opened for modification C:\Windows\svchost.com 40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

Modifies registry class 1 IoCs

Processes:

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

description	pid	process	target process
PID 4820 wrote to memory of 1392	4820	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
PID 4820 wrote to memory of 1392	4820	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
PID 4820 wrote to memory of 1392	4820	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe	40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe

C:\Users\Admin\AppData\Local\Temp\40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
"C:\Users\Admin\AppData\Local\Temp\40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\3582-490\40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe"
2⤵
- Executes dropped EXE
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
Filesize
679KB

MD5
da6cbb935bea3b3298eba6873eb33f62

SHA1
427e1a118c119727b54376bd20255b2adcc3ad8b

SHA256
10a581089a59c45a1a855ef33a0d1f85268c87dfbd2cd02f53ea53e69b35cad2

SHA512
caae400ed68dac1d3e97594a57eb4999a5b330a1f100d7c57174f998b9f535839965629307e77bc3802b9515e36a0b13f8a2f0a3420547bfb26b93161dda241d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\40521a0b3d2354de2333822e7130a243eed0b1a0b60c55730571b84a5d3ad61c.exe
Filesize
679KB

MD5
da6cbb935bea3b3298eba6873eb33f62

SHA1
427e1a118c119727b54376bd20255b2adcc3ad8b

SHA256
10a581089a59c45a1a855ef33a0d1f85268c87dfbd2cd02f53ea53e69b35cad2

SHA512
caae400ed68dac1d3e97594a57eb4999a5b330a1f100d7c57174f998b9f535839965629307e77bc3802b9515e36a0b13f8a2f0a3420547bfb26b93161dda241d

Download Submit
memory/1392-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads