neshta | b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606

General

Target

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
Size

264KB
MD5

30c103a128df62ca59a787716b770900
SHA1

8d006ccb8798304cad93f67b805346c52350b0c9
SHA256

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606
SHA512

c811f38b48b4624142ad8e53bbbcaeb01b4bd9a0bc89f9c4b48fa7341f1d67475d483115db6353612c1fd75fa9071f9f2575f5ca3b2b58612e313634b3954bdd
SSDEEP

6144:PuaekInuIHERjFJaW7/mf5FwIBkfGPfPZ:8uIHE7J9G52UkfGPnZ

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

pid process

4176 b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

pid	process
4176	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

Drops file in Windows directory 1 IoCs

Processes:

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

description ioc process

File opened for modification C:\Windows\svchost.com b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

Modifies registry class 1 IoCs

Processes:

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

description	pid	process	target process
PID 4172 wrote to memory of 4176	4172	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
PID 4172 wrote to memory of 4176	4172	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
PID 4172 wrote to memory of 4176	4172	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe	b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe

C:\Users\Admin\AppData\Local\Temp\b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
"C:\Users\Admin\AppData\Local\Temp\b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\3582-490\b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe"
2⤵
- Executes dropped EXE
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
Filesize
223KB

MD5
25902a9fa8a7b274bd7b2b0062c5e3ad

SHA1
1db9b2d73863797c919656a31aedc67f4dda0956

SHA256
bbce2991761b720853e09584c9f59a4145c81d10fd61b28a776cc09cd3bb99c4

SHA512
47648b3f1082559b0475998e987578924003de60a7a9619cc61af4d2e6857642cfd7b68ab15099ebbfd89c7462f122136945b81cceb69ff73edd49a53a893725

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b1a7101ef80aa6c387dea80962e76810e6ac64d740d7f763a52d7e7304da3606.exe
Filesize
223KB

MD5
25902a9fa8a7b274bd7b2b0062c5e3ad

SHA1
1db9b2d73863797c919656a31aedc67f4dda0956

SHA256
bbce2991761b720853e09584c9f59a4145c81d10fd61b28a776cc09cd3bb99c4

SHA512
47648b3f1082559b0475998e987578924003de60a7a9619cc61af4d2e6857642cfd7b68ab15099ebbfd89c7462f122136945b81cceb69ff73edd49a53a893725

Download Submit
memory/4176-132-0x0000000000000000-mapping.dmp

Download
memory/4176-135-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4176-136-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads