neshta | 1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc

General

Target

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
Size

896KB
MD5

3b028c11938729ccf0b6e6b7ed0d2c98
SHA1

f931b1b1c27c7e3363872eab75296caeb2a70e1a
SHA256

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc
SHA512

4669b38783ca9faf2aef1a1df1e5e49e2bbeb453ef4d5039bfa734f0a40becb472713fbe4551c2b3af67adcb95c9f9f0a3b4edb427d0f74070bc0d88c9e9f6ed
SSDEEP

12288:L60d9NVns6l79Ieyv0S0rzokaGbbbbbDDDbDu:Lfdvts6HI1NHkaGbbbbbDDDbDu

Score

10^/10

neshta persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

pid process

1012 1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

pid	process
1012	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe	upx
behavioral2/memory/1012-135-0x0000000000400000-0x00000000004C5000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MICROS~4.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13171~1.37\MICROS~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MICROS~2.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MICROS~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MI391D~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

Drops file in Windows directory 1 IoCs

Processes:

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

description ioc process

File opened for modification C:\Windows\svchost.com 1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

Modifies registry class 1 IoCs

Processes:

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

description	pid	process	target process
PID 2972 wrote to memory of 1012	2972	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
PID 2972 wrote to memory of 1012	2972	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
PID 2972 wrote to memory of 1012	2972	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe	1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe

C:\Users\Admin\AppData\Local\Temp\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
"C:\Users\Admin\AppData\Local\Temp\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\3582-490\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe"
2⤵
- Executes dropped EXE
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
Filesize
856KB

MD5
ca0d26ee9a94721c968f1b9a9697094f

SHA1
4c2dab7d11f51b8bc7f984d550614f65ee07e210

SHA256
a811f7f0cdcd54adf984c91a681fcd7028c00217bcec62c08e3ec899bd439a8c

SHA512
d95fdc7eec02ef2dd5bbf2e94b17f20ee5e7299ffc26d80c904650efbbaa92e015c3d683c96c20e730a6f9b2db70e092097606c203bbafd2ea213d62d9544340

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1d4652c4be48cc6672002f4cd273d850c0fb67d9edd79d12f65e82ca9e2f4bdc.exe
Filesize
856KB

MD5
ca0d26ee9a94721c968f1b9a9697094f

SHA1
4c2dab7d11f51b8bc7f984d550614f65ee07e210

SHA256
a811f7f0cdcd54adf984c91a681fcd7028c00217bcec62c08e3ec899bd439a8c

SHA512
d95fdc7eec02ef2dd5bbf2e94b17f20ee5e7299ffc26d80c904650efbbaa92e015c3d683c96c20e730a6f9b2db70e092097606c203bbafd2ea213d62d9544340

Download Submit
memory/1012-132-0x0000000000000000-mapping.dmp

Download
memory/1012-135-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads