neshta | 801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90

General

Target

801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
Size

376KB
MD5

c5bb813721c30e8b1522c54fccc0b63d
SHA1

6384a3c681df2329a8fb5635223f2e29546b7548
SHA256

801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90
SHA512

dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34
SSDEEP

6144:UEu8DnsYT9qOq4OP888888888888W88888888888lEu8DnsHEu8DnsHEu8DnsHEW:UcDAZ888888888888W88888888888lcz

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\lsass.exe	family_neshta
C:\Users\Admin\AppData\Roaming\lsass.exe	family_neshta
C:\Users\Admin\AppData\Roaming\lsass.exe	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

lsass.exelsass.exe

pid process

3392 lsass.exe
4644 lsass.exe

pid	process
3392	lsass.exe
4644	lsass.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Local Security Authentication Server = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe"	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authentication Server = "C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe"	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exelsass.exe

description	pid	process	target process
PID 4288 set thread context of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 3392 set thread context of 4644	3392	lsass.exe	lsass.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exelsass.exe

description	pid	process	target process
PID 4288 wrote to memory of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 4288 wrote to memory of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 4288 wrote to memory of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 4288 wrote to memory of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 4288 wrote to memory of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 4288 wrote to memory of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 4288 wrote to memory of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 4288 wrote to memory of 3104	4288	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
PID 3104 wrote to memory of 3392	3104	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	lsass.exe
PID 3104 wrote to memory of 3392	3104	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	lsass.exe
PID 3104 wrote to memory of 3392	3104	801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe	lsass.exe
PID 3392 wrote to memory of 4644	3392	lsass.exe	lsass.exe
PID 3392 wrote to memory of 4644	3392	lsass.exe	lsass.exe
PID 3392 wrote to memory of 4644	3392	lsass.exe	lsass.exe
PID 3392 wrote to memory of 4644	3392	lsass.exe	lsass.exe
PID 3392 wrote to memory of 4644	3392	lsass.exe	lsass.exe
PID 3392 wrote to memory of 4644	3392	lsass.exe	lsass.exe
PID 3392 wrote to memory of 4644	3392	lsass.exe	lsass.exe
PID 3392 wrote to memory of 4644	3392	lsass.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
"C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe
"C:\Users\Admin\AppData\Local\Temp\801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Roaming\lsass.exe
"C:\Users\Admin\AppData\Roaming\lsass.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Roaming\lsass.exe
"C:\Users\Admin\AppData\Roaming\lsass.exe"
4⤵
- Executes dropped EXE
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
376KB

MD5
c5bb813721c30e8b1522c54fccc0b63d

SHA1
6384a3c681df2329a8fb5635223f2e29546b7548

SHA256
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90

SHA512
dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
376KB

MD5
c5bb813721c30e8b1522c54fccc0b63d

SHA1
6384a3c681df2329a8fb5635223f2e29546b7548

SHA256
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90

SHA512
dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
376KB

MD5
c5bb813721c30e8b1522c54fccc0b63d

SHA1
6384a3c681df2329a8fb5635223f2e29546b7548

SHA256
801a3ba26989f63907e984f5bccc45c7756548b15f3d663725fdac3ced8bee90

SHA512
dca07ebff3a15630c1025d54e2699adbe671f39bb9adc077b6d7ee9f7064dd950872c57416a874db45e4667e0834afda9042d3bc2f7630839f315924f04c6d34

Download Submit
memory/3104-135-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3104-137-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3104-138-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3104-139-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3104-132-0x0000000000000000-mapping.dmp

Download
memory/3104-134-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3104-133-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3392-140-0x0000000000000000-mapping.dmp

Download
memory/4644-143-0x0000000000000000-mapping.dmp

Download
memory/4644-150-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4644-151-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads