neshta | 8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51

General

Target

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
Size

416KB
MD5

20f4db1d8f2d796bf4604c6a07fb1db0
SHA1

4fd613e2cb9ba6d06a6ae58b06b0e950b84820cd
SHA256

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51
SHA512

059983d12ecf9b25c10b63731168969b12364805ae311dafbd5dc95fb6826a171e57899cd1ec391458a398f9e38b84c8479a673a1bb7a36b1536e502c016b35f
SSDEEP

1536:JxqjQ+P04wsmJCLekQtYPqtW3dR2ej2yY9bTNNPkDH7z98iE7or5nx/6FT1lSi94:sr85C/QtYyA+o49NajSkrKo

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

pid process

1392 8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

pid	process
1392	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

Drops file in Windows directory 1 IoCs

Processes:

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

description ioc process

File opened for modification C:\Windows\svchost.com 8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

Modifies registry class 1 IoCs

Processes:

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

description	pid	process	target process
PID 1360 wrote to memory of 1392	1360	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
PID 1360 wrote to memory of 1392	1360	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
PID 1360 wrote to memory of 1392	1360	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe	8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe

C:\Users\Admin\AppData\Local\Temp\8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
"C:\Users\Admin\AppData\Local\Temp\8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\3582-490\8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe"
2⤵
- Executes dropped EXE
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
Filesize
376KB

MD5
88963db04059cb3d5bdd61c67cb382d3

SHA1
469965836ba3355ec8e4233e15e109ee28767d89

SHA256
7c67761ad3fb30ba1dda1ac63222cd815aa0cd29ae38741102efb393777d3400

SHA512
3f3e7910ee7155e9c448f588ef4e884eab54c03ff65083f62698ede56465c5e688f58f1ec29d73e294cb905715e0500bb87261089526195f2b3eafc5b89b8d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\8547fd4d53eaf2cff20c7a3cee97f534e203e16aa54df1888c94cad8fd69bf51.exe
Filesize
376KB

MD5
88963db04059cb3d5bdd61c67cb382d3

SHA1
469965836ba3355ec8e4233e15e109ee28767d89

SHA256
7c67761ad3fb30ba1dda1ac63222cd815aa0cd29ae38741102efb393777d3400

SHA512
3f3e7910ee7155e9c448f588ef4e884eab54c03ff65083f62698ede56465c5e688f58f1ec29d73e294cb905715e0500bb87261089526195f2b3eafc5b89b8d66

Download Submit
memory/1392-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads