neshta | 217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3

General

Target

217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe
Size

113KB
MD5

00fbea71b3f5a7edda3b2f6e78f3a0a0
SHA1

3effcc8a06bcfb1b41c02641decac20442dd5f90
SHA256

217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3
SHA512

422dd240f81f8cc3123aee70c4601c5f9c9390f308b3c3e3f3cbe2fc89152e1061ebddfbb8d3272c380cdbc5c7a9d24e8c5b90eb39a27f11e96585cca26177c6
SSDEEP

1536:JxqjQ+P04wsmJCfuXp0Gbhx8ry9YVkbM0soilFeSux+VweJVOZHEDokI7X96LJ++:sr85CTGbhmroM0sHl5uwm5E1uOt

Score

10^/10

neshta persistence spyware upx

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

pid process

1660 217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

pid	process
1660	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	upx
C:\Users\Admin\AppData\Local\Temp\3582-490\217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	upx
behavioral2/memory/1660-135-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1660-136-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

Drops file in Windows directory 1 IoCs

Processes:

217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

description ioc process

File opened for modification C:\Windows\svchost.com 217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

Modifies registry class 1 IoCs

Processes:

217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

description	pid	process	target process
PID 3448 wrote to memory of 1660	3448	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe
PID 3448 wrote to memory of 1660	3448	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe
PID 3448 wrote to memory of 1660	3448	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe
PID 1660 wrote to memory of 1300	1660	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	Explorer.EXE
PID 1660 wrote to memory of 1300	1660	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	Explorer.EXE
PID 1660 wrote to memory of 1300	1660	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	Explorer.EXE
PID 1660 wrote to memory of 1300	1660	217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe
"C:\Users\Admin\AppData\Local\Temp\217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe"
2⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\3582-490\217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

Filesize
72KB

MD5
6507fcc4c5f99d6a04e0d8819c6bf010

SHA1
0fa4d98af5d63f8b64e7c60adab71c8c9eadf929

SHA256
d43d56b876cca5b2b01ed42da38d88fc5bc37e101b1793d685b226c0e255b628

SHA512
c29a4c573105903bd3df72d2bc31d36e5e862e8c73daa57d6559d6638ac8698835d6269fc63747fd186c5c525c918f5c57d0df7a93210ff6d38465e0cbddc88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\217be3443718953cf4066be8df887d246b907cb11245b2ab23a29c38d10c2ac3.exe

Filesize
72KB

MD5
6507fcc4c5f99d6a04e0d8819c6bf010

SHA1
0fa4d98af5d63f8b64e7c60adab71c8c9eadf929

SHA256
d43d56b876cca5b2b01ed42da38d88fc5bc37e101b1793d685b226c0e255b628

SHA512
c29a4c573105903bd3df72d2bc31d36e5e862e8c73daa57d6559d6638ac8698835d6269fc63747fd186c5c525c918f5c57d0df7a93210ff6d38465e0cbddc88b

Download Submit
memory/1660-132-0x0000000000000000-mapping.dmp

Download
memory/1660-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads