neshta | 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f

General

Target

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
Size

229KB
MD5

7a9088fa597f6ac4750cff8a7a73f1f2
SHA1

adbaf9fe8988e6434e38f37218309ee9c438bb42
SHA256

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f
SHA512

9614a8d407446e0239cd5fb584849c34a2651ca9628c2cfccaab7e163ec4b9290896cf74f99edcc95d621b8ae5c66b523e00c7b8ec402a4dbbb21d2f43a51ad0
SSDEEP

3072:sr85CsP19Lhx49Z6J//sLm5Awtk8E7AljslrcujXD7HgHHh:k9sP19Lh/WpWkxAljxh

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

pid process

1464 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

pid	process
1464	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

Drops file in Program Files directory 14 IoCs

Processes:

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

Drops file in Windows directory 2 IoCs

Processes:

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
File created	C:\Windows\FONTS\eudcadm.tte	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

pid process

1464 163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

pid	process
1464	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

description	pid	process	target process
PID 4204 wrote to memory of 1464	4204	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
PID 4204 wrote to memory of 1464	4204	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
PID 4204 wrote to memory of 1464	4204	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe	163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe

C:\Users\Admin\AppData\Local\Temp\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
"C:\Users\Admin\AppData\Local\Temp\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4204

C:\Users\Admin\AppData\Local\Temp\3582-490\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
Filesize
188KB

MD5
799961190a2deb65b180a46f1e7aa0a6

SHA1
3d2fe33e2ea5d145c2ad08f5b6c2cc5bd56d5a69

SHA256
99fd37c1bed425b0a5687eca2da51da8b9ae4e230a4684240fd63455373b3001

SHA512
b193c34712058f94c693baf4234b87fc5e7e0c91f143f379b97f564bbf4fafa61f502b5bead5fba57f859fd81f010c11b7db095e4daedac1ff08a5d0fa70eb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\163e91070763ea2a9bea053991ce5e2487df3b646dc01dce16ace91f07d62d8f.exe
Filesize
188KB

MD5
799961190a2deb65b180a46f1e7aa0a6

SHA1
3d2fe33e2ea5d145c2ad08f5b6c2cc5bd56d5a69

SHA256
99fd37c1bed425b0a5687eca2da51da8b9ae4e230a4684240fd63455373b3001

SHA512
b193c34712058f94c693baf4234b87fc5e7e0c91f143f379b97f564bbf4fafa61f502b5bead5fba57f859fd81f010c11b7db095e4daedac1ff08a5d0fa70eb12

Download Submit
memory/1464-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads