neshta | fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109

General

Target

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
Size

686KB
MD5

092bfaefc8935e0f6408bcddcec04200
SHA1

b5fa81557b99cca2bd85b6ef97905c2758ae227b
SHA256

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109
SHA512

7d4f1c92a3449fdecd0b058002a47156ebc5bcae6e6f3a77433d30d7cd428ceea7d82b4be1c6180b245805ef3a4265cfffaf085161361dbcfdfc5f0b729dc31b
SSDEEP

12288:sTr3lDzKiooeCJysLP9wSoEA1BdTfutM73173d:sTr3lD/ty+xozBdTff3d3d

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

pid process

1684 fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

pid	process
1684	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

Drops file in Windows directory 1 IoCs

Processes:

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

description ioc process

File opened for modification C:\Windows\svchost.com fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

Modifies registry class 1 IoCs

Processes:

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

description	pid	process	target process
PID 1436 wrote to memory of 1684	1436	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
PID 1436 wrote to memory of 1684	1436	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
PID 1436 wrote to memory of 1684	1436	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe	fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

C:\Users\Admin\AppData\Local\Temp\fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
"C:\Users\Admin\AppData\Local\Temp\fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe"
2⤵
- Executes dropped EXE
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

Filesize
645KB

MD5
64b5966d25e27ac46fa215df0e3dba8c

SHA1
8b65d059d226d2ef24c4ef8b39770a2fe69322a1

SHA256
13207b85fe22ca6ea6f86e4ff58212d06c9621ff58f06b81dc82356ac39519bc

SHA512
015001dd35c5a1bb8bc758b9dd44eaaf46fa37a3458d08bfe77e61e29334707f8f50d27596dbcd3a6e513a9d9281c139e974720c9a49e9ea8f076b1776d00181

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fc43dd62d4b1c6f2217f19c7b81a5697073b552c449347845af3085bddea2109.exe

Filesize
645KB

MD5
64b5966d25e27ac46fa215df0e3dba8c

SHA1
8b65d059d226d2ef24c4ef8b39770a2fe69322a1

SHA256
13207b85fe22ca6ea6f86e4ff58212d06c9621ff58f06b81dc82356ac39519bc

SHA512
015001dd35c5a1bb8bc758b9dd44eaaf46fa37a3458d08bfe77e61e29334707f8f50d27596dbcd3a6e513a9d9281c139e974720c9a49e9ea8f076b1776d00181

Download Submit
memory/1684-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads