neshta | b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30

General

Target

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
Size

459KB
MD5

26397015c80750da0a36f549d3f2c467
SHA1

13a324ffbfb73ec47a421c9b4fd1662f7f1c87d5
SHA256

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30
SHA512

4c43fe9dd85edb621dabe8c3f0ea07594fb9108c066666cb10f7a95704e6282ecb63bc84d7a4392108f8ec64309fdef42f09484e8ba9528e728ea3bf2551e459
SSDEEP

6144:k9FmU9R+BsKdNSuEnIebQie0bvT51CBLWFY+JLuhmPRDdrJ7k3JzhVDvh:OBf+GKN2r75syvtRpd7k5Hh

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

pid process

2648 b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

pid	process
2648	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

Drops file in Windows directory 1 IoCs

Processes:

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

description ioc process

File opened for modification C:\Windows\svchost.com b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

Modifies registry class 1 IoCs

Processes:

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

description	pid	process	target process
PID 5092 wrote to memory of 2648	5092	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
PID 5092 wrote to memory of 2648	5092	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
PID 5092 wrote to memory of 2648	5092	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe	b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe

C:\Users\Admin\AppData\Local\Temp\b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
"C:\Users\Admin\AppData\Local\Temp\b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\3582-490\b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe"
2⤵
- Executes dropped EXE
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
Filesize
418KB

MD5
920516a8489ae60e72f3dde759fa792a

SHA1
d41adce436a66a09c1e73995ea219afd1fb545b0

SHA256
0bd54c565fe24ce2e586f091a018c5908d16767a9123213f372c9afcbecab937

SHA512
f6848631599c7852310c51965fad9af29e4422dc5939f24d46765f525dc4dd0db6700f5f452e48202692517482dbe2893f2d084295808e7156d6542f977393e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b2c00125b1e6fdff6d44644c6c3b1f84062dab897031d27ee48ba28b3acc1a30.exe
Filesize
418KB

MD5
920516a8489ae60e72f3dde759fa792a

SHA1
d41adce436a66a09c1e73995ea219afd1fb545b0

SHA256
0bd54c565fe24ce2e586f091a018c5908d16767a9123213f372c9afcbecab937

SHA512
f6848631599c7852310c51965fad9af29e4422dc5939f24d46765f525dc4dd0db6700f5f452e48202692517482dbe2893f2d084295808e7156d6542f977393e1

Download Submit
memory/2648-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads