neshta | c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295

General

Target

c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
Size

63KB
MD5

509cca6e2552b0468cec730cc6e4d7ff
SHA1

a15638235b12efebc00a8611ce9cddcef77aeaed
SHA256

c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295
SHA512

287d95727034075e4695942d3156ee8d119dae3c6ec849e0116a3fad9c2022301e09b4a172e119ad37c417a9d95c14cf54fd5ccde7ea6e58d202cf2dda337dd4
SSDEEP

768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ2tgULKrHpED4M2vijLADgnxB8hHSQgw:JxqjQ+P04wsmJCPeK8M2cnvQzr

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

Drops file in Windows directory 1 IoCs

Processes:

c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

description ioc process

File opened for modification C:\Windows\svchost.com c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

Modifies registry class 1 IoCs

Processes:

c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe

C:\Users\Admin\AppData\Local\Temp\c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe
"C:\Users\Admin\AppData\Local\Temp\c433182c0f1e42c29b0a22a37d08a9db2980041dfc3d0fee9fe2aa7efe1be295.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4936