neshta | c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a

General

Target

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
Size

1.7MB
MD5

0f5ae684544dc52331e802d9e1471f26
SHA1

eff3b8f69c81c4192ff0c99b65a7ffd4339ad5da
SHA256

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a
SHA512

9529931793f64f95404b179cc6ce80694baec7d9161cc980e3c9be2035cd39bbaffa1a0a4e6c1f7a57f153437d64b6e90799d660afb8e6c20f84e7da71690fe3
SSDEEP

24576:uCdTs3f/ebhYa7edBBLdH2vmuujgd/Bey8XLTIJw9Zl:uCdY3f/B+vyW/I5XLTIw9Zl

Score

10^/10

neshta evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

pid process

2716 c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

pid	process
2716	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

Drops file in Program Files directory 64 IoCs

Processes:

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

Drops file in Windows directory 1 IoCs

Processes:

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

description ioc process

File opened for modification C:\Windows\svchost.com c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

Modifies registry class 1 IoCs

Processes:

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

description	pid	process	target process
PID 1720 wrote to memory of 2716	1720	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
PID 1720 wrote to memory of 2716	1720	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
PID 1720 wrote to memory of 2716	1720	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe	c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe

C:\Users\Admin\AppData\Local\Temp\c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
"C:\Users\Admin\AppData\Local\Temp\c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\3582-490\c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
Filesize
1.7MB

MD5
ca99dd593a24a7369d07ddef76023819

SHA1
c88d76106c34d093167bd69b433cff15f24cfe68

SHA256
26da2d1f83383091e735b74e10c87d69368817c5403c6757537eaeff0982173e

SHA512
a3f2fb49e8c9be8e7f3fd205983985876e3b04dc097aeb237dc5f057bab54b3b39324820ca3028e19439f5abbeae09dc6bc81f4af7811c1430ef57fd32d93b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\c2f700bc8b333ce7210ac7caee61bfb8d9b28eca6c5271f440e9ab45c7f5b18a.exe
Filesize
1.7MB

MD5
ca99dd593a24a7369d07ddef76023819

SHA1
c88d76106c34d093167bd69b433cff15f24cfe68

SHA256
26da2d1f83383091e735b74e10c87d69368817c5403c6757537eaeff0982173e

SHA512
a3f2fb49e8c9be8e7f3fd205983985876e3b04dc097aeb237dc5f057bab54b3b39324820ca3028e19439f5abbeae09dc6bc81f4af7811c1430ef57fd32d93b4f

Download Submit
memory/2716-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads