neshta | c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a

Analysis

max time kernel
152s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
Size

1.6MB
MD5

30cd1f10f393ce0355ab0272e6fe40c0
SHA1

ff02be22b87d48e1a9b5b3544fd249937c09665f
SHA256

c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a
SHA512

f43c54ee53310378d50e03b2a150ff3d06fabc8bd1993c63492f96026dfde6ed18b03c2f771b63dd57f9384d04fd72594fd0276c812b2e989d6f7a0f2525e457
SSDEEP

24576:Ftb20pkaCqT5TBWgNQ7aW5MB6dDVPHbZdR17P3e8W0A6A:2Vg5tQ7aW5RdVdpPu845

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\system.exe	family_neshta
\Users\Admin\AppData\Local\Temp\system.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\system.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\system.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

system.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" system.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 3 IoCs

Processes:

system.exenjRAT v0.7d.exesystem.exe

pid process

1472 system.exe
592 njRAT v0.7d.exe
636 system.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	system.exe

pid	process
1472	system.exe
592	njRAT v0.7d.exe
636	system.exe

Drops startup file 2 IoCs

Processes:

c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe

Loads dropped DLL 5 IoCs

Processes:

c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exesystem.exe

pid	process
960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
1472	system.exe
1472	system.exe

Drops file in Program Files directory 64 IoCs

Processes:

system.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	system.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	system.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	system.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	system.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	system.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	system.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	system.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	system.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	system.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	system.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	system.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	system.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	system.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	system.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	system.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	system.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	system.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	system.exe

Drops file in Windows directory 1 IoCs

Processes:

system.exe

description ioc process

File opened for modification C:\Windows\svchost.com system.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

system.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" system.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	system.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	system.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exesystem.exe

description	pid	process	target process
PID 960 wrote to memory of 1472	960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe	system.exe
PID 960 wrote to memory of 1472	960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe	system.exe
PID 960 wrote to memory of 1472	960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe	system.exe
PID 960 wrote to memory of 1472	960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe	system.exe
PID 960 wrote to memory of 592	960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe	njRAT v0.7d.exe
PID 960 wrote to memory of 592	960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe	njRAT v0.7d.exe
PID 960 wrote to memory of 592	960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe	njRAT v0.7d.exe
PID 960 wrote to memory of 592	960	c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe	njRAT v0.7d.exe
PID 1472 wrote to memory of 636	1472	system.exe	system.exe
PID 1472 wrote to memory of 636	1472	system.exe	system.exe
PID 1472 wrote to memory of 636	1472	system.exe	system.exe
PID 1472 wrote to memory of 636	1472	system.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe
"C:\Users\Admin\AppData\Local\Temp\c767020810b099c4ebb24220ab9a317b658a2f2a26be762d02a95a2efb7fc63a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\system.exe
C:\Users\Admin\AppData\Local\Temp/system.exe
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe"
3⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exe
"C:\Users\Admin\AppData\Local\Temp/njRAT v0.7d.exe"
2⤵
- Executes dropped EXE
PID:592

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe
Filesize
145KB

MD5
16a83869f3a5decb6f2308581d545602

SHA1
6601f4ec55351bded6fdd1986385e14e225bb2f8

SHA256
119a4e5167bd258dde45bd54bf7426886503e6e149549247aba2e357e380ac6b

SHA512
f7e03983e4567e94cec21bbb31a81fca645ed3cbef13b509a90ad011d56d2d22c79a05ce96dba392cdde068216628315ac2b8801e56c440eb35b3fa19102565a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\system.exe
Filesize
145KB

MD5
16a83869f3a5decb6f2308581d545602

SHA1
6601f4ec55351bded6fdd1986385e14e225bb2f8

SHA256
119a4e5167bd258dde45bd54bf7426886503e6e149549247aba2e357e380ac6b

SHA512
f7e03983e4567e94cec21bbb31a81fca645ed3cbef13b509a90ad011d56d2d22c79a05ce96dba392cdde068216628315ac2b8801e56c440eb35b3fa19102565a

Download Submit
C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exe
Filesize
1.7MB

MD5
27029ca1545784ce16194273a1c69566

SHA1
4e5f81db9fd9d98a3694319c62c3ff6afcd4b2d1

SHA256
753a2b83b5f1a5ed8e46d0ec674f7e55d098669200ef2c57a1bfd748341cb485

SHA512
986f83ec5eb743310a949a134dbcdc6b5ee37de9e7eedb99bb6783b9ba96511cd2b7ae7f41420f7c81ef3f0dc76ecf54e6cc39c8532c8dec39e41544a2de8c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exe
Filesize
1.7MB

MD5
27029ca1545784ce16194273a1c69566

SHA1
4e5f81db9fd9d98a3694319c62c3ff6afcd4b2d1

SHA256
753a2b83b5f1a5ed8e46d0ec674f7e55d098669200ef2c57a1bfd748341cb485

SHA512
986f83ec5eb743310a949a134dbcdc6b5ee37de9e7eedb99bb6783b9ba96511cd2b7ae7f41420f7c81ef3f0dc76ecf54e6cc39c8532c8dec39e41544a2de8c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
Filesize
185KB

MD5
a82796f4ff9d86989f4075a626c0ac42

SHA1
e918915b1625998b230db18736be6a5a10936b0c

SHA256
875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b

SHA512
5425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
Filesize
185KB

MD5
a82796f4ff9d86989f4075a626c0ac42

SHA1
e918915b1625998b230db18736be6a5a10936b0c

SHA256
875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b

SHA512
5425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\system.exe
Filesize
145KB

MD5
16a83869f3a5decb6f2308581d545602

SHA1
6601f4ec55351bded6fdd1986385e14e225bb2f8

SHA256
119a4e5167bd258dde45bd54bf7426886503e6e149549247aba2e357e380ac6b

SHA512
f7e03983e4567e94cec21bbb31a81fca645ed3cbef13b509a90ad011d56d2d22c79a05ce96dba392cdde068216628315ac2b8801e56c440eb35b3fa19102565a

Download Submit
\Users\Admin\AppData\Local\Temp\njRAT v0.7d.exe
Filesize
1.7MB

MD5
27029ca1545784ce16194273a1c69566

SHA1
4e5f81db9fd9d98a3694319c62c3ff6afcd4b2d1

SHA256
753a2b83b5f1a5ed8e46d0ec674f7e55d098669200ef2c57a1bfd748341cb485

SHA512
986f83ec5eb743310a949a134dbcdc6b5ee37de9e7eedb99bb6783b9ba96511cd2b7ae7f41420f7c81ef3f0dc76ecf54e6cc39c8532c8dec39e41544a2de8c97

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe
Filesize
185KB

MD5
a82796f4ff9d86989f4075a626c0ac42

SHA1
e918915b1625998b230db18736be6a5a10936b0c

SHA256
875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b

SHA512
5425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe
Filesize
185KB

MD5
a82796f4ff9d86989f4075a626c0ac42

SHA1
e918915b1625998b230db18736be6a5a10936b0c

SHA256
875a119fc622ec4d90607e86198a98a67c31547be7d0f717165c96a20ea3d62b

SHA512
5425430a1b14386af65330855f7a71bdd676a5d6b2be941051155804b3e1e88ba2fd13b68ec288a1389f95509504cf392248f88e09b481c0ac16437b0dfaea98

Download Submit
memory/592-68-0x000007FEF2BD0000-0x000007FEF35F3000-memory.dmp

Filesize
10.1MB

Download
memory/592-62-0x0000000000000000-mapping.dmp

Download
memory/592-71-0x000007FEEE690000-0x000007FEEF726000-memory.dmp

Filesize
16.6MB

Download
memory/592-73-0x0000000000566000-0x0000000000585000-memory.dmp

Filesize
124KB

Download
memory/636-66-0x0000000000000000-mapping.dmp

Download
memory/636-70-0x000007FEF2BD0000-0x000007FEF35F3000-memory.dmp

Filesize
10.1MB

Download
memory/636-72-0x000007FEEE690000-0x000007FEEF726000-memory.dmp

Filesize
16.6MB

Download
memory/960-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1472-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads