neshta | ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a

General

Target

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
Size

313KB
MD5

0a162a7f1e6199d8a6c66944c68634a0
SHA1

299d74d84565174e54db0a8d6c6a053fa317e87d
SHA256

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a
SHA512

f4dccf73b53a8bd271c5b79c54ef8007aebf20b1a525ef490d140fdc0c6fb923f06d604840f1539f0dc1b2a72a2aaf5917f5e0e82429f3c34976dd1c52e7b343
SSDEEP

6144:k9GCefFntQS7e8FBgMCChPXL8bbf08TxT:T57D6MhXgbbf08TxT

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

pid process

4564 ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

pid	process
4564	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

Drops file in Windows directory 1 IoCs

Processes:

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

description ioc process

File opened for modification C:\Windows\svchost.com ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

Modifies registry class 1 IoCs

Processes:

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

description	pid	process	target process
PID 2760 wrote to memory of 4564	2760	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
PID 2760 wrote to memory of 4564	2760	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
PID 2760 wrote to memory of 4564	2760	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe	ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

C:\Users\Admin\AppData\Local\Temp\ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
"C:\Users\Admin\AppData\Local\Temp\ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\3582-490\ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe"
2⤵
- Executes dropped EXE
PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

Filesize
272KB

MD5
42bc36fd844138c0025e5d3bfe0c6c06

SHA1
85aa664dc9461c292d957d9f8e84fa1a1724f9bb

SHA256
f94800774454512dc6baecc95ec478d2b0f7ce102332e4e84a0ee269ac718997

SHA512
e07cd9be84366318922890766052ce3110ef4df9641ceb33017f9ed3aa656b9a8fdcfa3c13f3ed330f7f70ee3de76c5d46a7a03168c0f915783120ea78973af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ff2ac248a6b780b1cecd43328a3a2bcf8f0171059a23211c079c7a0639face0a.exe

Filesize
272KB

MD5
42bc36fd844138c0025e5d3bfe0c6c06

SHA1
85aa664dc9461c292d957d9f8e84fa1a1724f9bb

SHA256
f94800774454512dc6baecc95ec478d2b0f7ce102332e4e84a0ee269ac718997

SHA512
e07cd9be84366318922890766052ce3110ef4df9641ceb33017f9ed3aa656b9a8fdcfa3c13f3ed330f7f70ee3de76c5d46a7a03168c0f915783120ea78973af2

Download Submit
memory/4564-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads