neshta | 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188

General

Target

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
Size

196KB
MD5

cb081dd3495d1dc3fbdbe23d0b9ce457
SHA1

eab376077eac115f1c31c5c5c8cc31f66b1bbed6
SHA256

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188
SHA512

8c590c2ba25150f4f057d62b33ba55bad98a71fb41e7270494f4b419839e4a7ca65314248ef649f83296d134d0c879d4fa8410dc9b86c22e009bc2477fed4dbe
SSDEEP

6144:k9PgMU2x3OgTZu79vSdEVNm48uu8673prh/SAA6:qZhudSdEVNm48uu8673prh/S76

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 3 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exesvchost.com

pid process

3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
3652 svchost.com

pid	process
3040	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
3652	svchost.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdte.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winupdte.exe\""	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

Drops file in Program Files directory 28 IoCs

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exesvchost.com

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	svchost.com

Drops file in Windows directory 3 IoCs

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4384 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

description pid process

Token: SeDebugPrivilege 3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

pid process

3040 6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

pid	process
4384	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3040	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

pid	process
3040	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exesvchost.comcmd.exe

description	pid	process	target process
PID 2376 wrote to memory of 3040	2376	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
PID 2376 wrote to memory of 3040	2376	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
PID 2376 wrote to memory of 3040	2376	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
PID 3040 wrote to memory of 3652	3040	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe	svchost.com
PID 3040 wrote to memory of 3652	3040	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe	svchost.com
PID 3040 wrote to memory of 3652	3040	6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe	svchost.com
PID 3652 wrote to memory of 4024	3652	svchost.com	cmd.exe
PID 3652 wrote to memory of 4024	3652	svchost.com	cmd.exe
PID 3652 wrote to memory of 4024	3652	svchost.com	cmd.exe
PID 4024 wrote to memory of 4384	4024	cmd.exe	PING.EXE
PID 4024 wrote to memory of 4384	4024	cmd.exe	PING.EXE
PID 4024 wrote to memory of 4384	4024	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
"C:\Users\Admin\AppData\Local\Temp\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"&"C:\Users\Admin\AppData\Local\Temp\winupdte.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe"&"C:\Users\Admin\AppData\Local\Temp\winupdte.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3
5⤵
- Runs ping.exe
PID:4384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
Filesize
156KB

MD5
7a29980745aab6bf019ad7243987d67f

SHA1
03dc181b91d6b0321ae84fd6942fb9e95457057c

SHA256
68f64dde2d2d22a328fd55b86d015f414c487a357a3ce1d706231bb251c01760

SHA512
773cfdeeac28cca5835e79bae42cab1c7ea622427af87cd1cd669618c6b0c63219ff7e1bf1f30b1ab31c7dce18664e811f9b67fa1c7069fcd2ceab861a848a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\6445eff7900b1e036334162cf027b0e8e9c06e69cbd914d7bcddbf2094c10188.exe
Filesize
156KB

MD5
7a29980745aab6bf019ad7243987d67f

SHA1
03dc181b91d6b0321ae84fd6942fb9e95457057c

SHA256
68f64dde2d2d22a328fd55b86d015f414c487a357a3ce1d706231bb251c01760

SHA512
773cfdeeac28cca5835e79bae42cab1c7ea622427af87cd1cd669618c6b0c63219ff7e1bf1f30b1ab31c7dce18664e811f9b67fa1c7069fcd2ceab861a848a63

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/3040-132-0x0000000000000000-mapping.dmp

Download
memory/3040-135-0x0000000073ED0000-0x0000000074481000-memory.dmp

Filesize
5.7MB

Download
memory/3040-140-0x0000000073ED0000-0x0000000074481000-memory.dmp

Filesize
5.7MB

Download
memory/3652-136-0x0000000000000000-mapping.dmp

Download
memory/4024-139-0x0000000000000000-mapping.dmp

Download
memory/4384-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads