neshta | 1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb

General

Target

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
Size

646KB
MD5

43dda2f11c235d1159b4aee3234fe1a0
SHA1

3aefb94c0bc1471a6763affb964a6ff2c10e2041
SHA256

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb
SHA512

c2be174a54c0b3828aaad6c959db8319738f6a11e61312379e4931f882b595ae73d845166d02ff6027770acc8b1ffb0598bf6e22b20fc85f49368deb7409c2e4
SSDEEP

12288:r6yWi+V5B0xVJzhVPARJvd9Wpp8pP2gjDd1Ddv:RfzvAjWpp8pFjDd1Ddv

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

pid process

1032 1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

pid	process
1032	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI9C33~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~3.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~2.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13169~1.31\MICROS~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~4.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI391D~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MIA062~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

Drops file in Windows directory 1 IoCs

Processes:

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

description ioc process

File opened for modification C:\Windows\svchost.com 1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

Modifies registry class 1 IoCs

Processes:

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

description	pid	process	target process
PID 3984 wrote to memory of 1032	3984	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
PID 3984 wrote to memory of 1032	3984	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
PID 3984 wrote to memory of 1032	3984	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe	1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe

C:\Users\Admin\AppData\Local\Temp\1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
"C:\Users\Admin\AppData\Local\Temp\1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\3582-490\1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe"
2⤵
- Executes dropped EXE
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
Filesize
606KB

MD5
1042d94720dc64e98544acfbdd0942cb

SHA1
4330ff12e9c854b49a0b971bc3d5365fa2dfee04

SHA256
c574b686b5d5b7b0fc41120f20cd2352b6d789c735faed4d474b09c0ffd88c5b

SHA512
908b75103be49227048cd71a6faa7983ebea86816baf7a0fc43e8643350db48308d795464ca0aa51a29be558fc991910404ad0939d040a19b9f100f2a3c80c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1033fb9fcc5271aa5dcabd726cc9ac466fcf9c70c87cb9970652d17b2050bdbb.exe
Filesize
606KB

MD5
1042d94720dc64e98544acfbdd0942cb

SHA1
4330ff12e9c854b49a0b971bc3d5365fa2dfee04

SHA256
c574b686b5d5b7b0fc41120f20cd2352b6d789c735faed4d474b09c0ffd88c5b

SHA512
908b75103be49227048cd71a6faa7983ebea86816baf7a0fc43e8643350db48308d795464ca0aa51a29be558fc991910404ad0939d040a19b9f100f2a3c80c71

Download Submit
memory/1032-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads