neshta | c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf

General

Target

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
Size

1.0MB
MD5

49c06ada1e8434d06291d3616203b8ac
SHA1

51e2e7f3dea1a6e0422e77a76083257620ee500d
SHA256

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf
SHA512

dacfc11670e440f5f319ff9bf0d521de94e1aa4c0120aeec35c7b40a1565186c681628cc2d7bcc3050ecb3c8d056ea29b072705b5c14b8e7be21c3d4fc6a7c21
SSDEEP

768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJL3rDv/aDfzekIfvnj1+h9/z:JxqjQ+P04wsmJCA3E7Ifvj1+h

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

pid process

1848 c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

pid	process
1848	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\msedge.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

Drops file in Windows directory 1 IoCs

Processes:

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

description ioc process

File opened for modification C:\Windows\svchost.com c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2340 1848 WerFault.exe c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

pid	pid_target	process	target process
2340	1848	WerFault.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

Modifies registry class 1 IoCs

Processes:

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

description	pid	process	target process
PID 2448 wrote to memory of 1848	2448	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
PID 2448 wrote to memory of 1848	2448	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
PID 2448 wrote to memory of 1848	2448	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe	c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe

C:\Users\Admin\AppData\Local\Temp\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
"C:\Users\Admin\AppData\Local\Temp\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\3582-490\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe"
2⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 188
3⤵
- Program crash
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1848 -ip 1848
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
Filesize
992KB

MD5
7e9c4033730d704faccd1ca0669b212d

SHA1
1e52dd897742361d7c497d19212a6aa12dd3f247

SHA256
409278a4ee415b3c8144c0e720e913d17b571155bb04a8f868b5af2a534bef50

SHA512
6fb609a8cf2b68ad818d5bdc51cac747d7046692a00f50e09b0c14626d9de278a5791f0b8111e7889cb0dd32bae6f4bb3d43bdf554d6eb6f270eea803e9f4493

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c8fd7564c49731bbb330079c135b0388b2cb859b20d1e5a64a2c8d7127f70edf.exe
Filesize
992KB

MD5
7e9c4033730d704faccd1ca0669b212d

SHA1
1e52dd897742361d7c497d19212a6aa12dd3f247

SHA256
409278a4ee415b3c8144c0e720e913d17b571155bb04a8f868b5af2a534bef50

SHA512
6fb609a8cf2b68ad818d5bdc51cac747d7046692a00f50e09b0c14626d9de278a5791f0b8111e7889cb0dd32bae6f4bb3d43bdf554d6eb6f270eea803e9f4493

Download Submit
memory/1848-132-0x0000000000000000-mapping.dmp

Download
memory/1848-135-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1848-136-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads