neshta | a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0

General

Target

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
Size

283KB
MD5

33ee797654c6f4b48d9605bc64550f7c
SHA1

13f41b4b82a0062c808d0d3123779dc2e8e39562
SHA256

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0
SHA512

96dc92a973910fec6c53bd2454c2d9544ea591d8df179c77142505f3b625bb94cfbc1720a30332908a61914ccbca92b51e4acf4f3ca615077b3bf4a8ca91a096
SSDEEP

3072:sr85CQZNGhwPjVr88LkkPl5qcV21BSA5mffoL6xB3UCWT4zeNpdrhUu5biY9Sc/8:k9OKyjVrTLkkP7qcXvxZzchl9+B9Ai

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

pid process

4868 a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

pid	process
4868	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

Drops file in Windows directory 1 IoCs

Processes:

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

description ioc process

File opened for modification C:\Windows\svchost.com a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

Modifies registry class 1 IoCs

Processes:

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

description	pid	process	target process
PID 3364 wrote to memory of 4868	3364	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
PID 3364 wrote to memory of 4868	3364	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
PID 3364 wrote to memory of 4868	3364	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe	a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe

C:\Users\Admin\AppData\Local\Temp\a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
"C:\Users\Admin\AppData\Local\Temp\a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\3582-490\a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe"
2⤵
- Executes dropped EXE
PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
Filesize
242KB

MD5
8f9b5f4f87207be1cf810ddc95124f92

SHA1
f5cec54c9aac59167ba95ec8077438be381fba3d

SHA256
4501e3f8f41966d403e76d3b1d04525098f0b6d41b65741a8351f3b0d3e4397e

SHA512
dac421d8132e474ddfc9ba5954928b40d952af17c4c2085c30f5f3dc631962c2f05db52cb487371108b6b61e6fbc0a82d68ced48e9075a1fbc5a214d5d201097

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a8fc63c4092a1e53596b1ba85445adad23f11f97c33fb10a9c3fbc9b7e71c7b0.exe
Filesize
242KB

MD5
8f9b5f4f87207be1cf810ddc95124f92

SHA1
f5cec54c9aac59167ba95ec8077438be381fba3d

SHA256
4501e3f8f41966d403e76d3b1d04525098f0b6d41b65741a8351f3b0d3e4397e

SHA512
dac421d8132e474ddfc9ba5954928b40d952af17c4c2085c30f5f3dc631962c2f05db52cb487371108b6b61e6fbc0a82d68ced48e9075a1fbc5a214d5d201097

Download Submit
memory/4868-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads