neshta | 6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838

General

Target

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
Size

202KB
MD5

7d25f3c8479bd92a159f3a5baff85ad0
SHA1

ac5a45cbd37eb862de9ae87229319feb9e07fb2c
SHA256

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838
SHA512

ea3b33fc031e30dc380ceafecae99ae2f9d4cb469b04cb046c076dd74d9b014fc17bd06af3433200a917464b06bfb0625c8a3ed8318fef8431735f865657e04d
SSDEEP

3072:sr85Cv5KwJex+nHFtloFc4eaivCKVAi+owpx6r2hlhBwwoTGCVY6zB:k9v5KwQ0nl/21owX6YfqNTfVfzB

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

pid process

4880 6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

pid	process
4880	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

Drops file in Windows directory 1 IoCs

Processes:

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

description ioc process

File opened for modification C:\Windows\svchost.com 6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

Modifies registry class 1 IoCs

Processes:

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

description	pid	process	target process
PID 704 wrote to memory of 4880	704	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
PID 704 wrote to memory of 4880	704	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
PID 704 wrote to memory of 4880	704	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe	6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe

C:\Users\Admin\AppData\Local\Temp\6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
"C:\Users\Admin\AppData\Local\Temp\6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Local\Temp\3582-490\6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe"
2⤵
- Executes dropped EXE
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
Filesize
161KB

MD5
55224509d4a4e1214676aec9d49759c7

SHA1
9adc5aaefaeeec136d8370a3237254468a5a1d93

SHA256
4a8e28ea329ea13bf7a180dc1ea60f5311ca906a235857dc7debc8ac80bb7c80

SHA512
1dad3c094f52d126a7c08e30b43cb5b00a90c293c0f6a7c72e8f22f1f1826bf9fc81280c4c0faa04b704f604a726bc79fd968c8fa6113466b27d938e16ee4d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6e8f33fe7ad51c7640b5fdc03925ab93d6b3cf978f8548c609c622c4e809c838.exe
Filesize
161KB

MD5
55224509d4a4e1214676aec9d49759c7

SHA1
9adc5aaefaeeec136d8370a3237254468a5a1d93

SHA256
4a8e28ea329ea13bf7a180dc1ea60f5311ca906a235857dc7debc8ac80bb7c80

SHA512
1dad3c094f52d126a7c08e30b43cb5b00a90c293c0f6a7c72e8f22f1f1826bf9fc81280c4c0faa04b704f604a726bc79fd968c8fa6113466b27d938e16ee4d41

Download Submit
memory/4880-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads