neshta | b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf

General

Target

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
Size

154KB
MD5

f53d031893900a221a023dcecf635c5e
SHA1

46301cd53556d3348221fccd536cbfddbeb0317f
SHA256

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf
SHA512

b4a64cb0eb75060510408d1b024af865c498cb3c799d8343917b554048f4791653a7a6fe3c2dc0c44fd27d2deb6437f40d63576daf200e33097a2085c3fd836c
SSDEEP

3072:sr8JCtz5RI+FlB6MfXhaYf+YC/A114IV71h7rNIVCTXA3eZIkesJPPqb5g+VTjKD:ktxI+TLbx

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

pid process

4792 b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

pid	process
4792	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

Drops file in Windows directory 1 IoCs

Processes:

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

description ioc process

File opened for modification C:\Windows\svchost.com b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

Modifies registry class 1 IoCs

Processes:

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

description	pid	process	target process
PID 4848 wrote to memory of 4792	4848	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
PID 4848 wrote to memory of 4792	4848	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
PID 4848 wrote to memory of 4792	4848	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe	b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe

C:\Users\Admin\AppData\Local\Temp\b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
"C:\Users\Admin\AppData\Local\Temp\b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\3582-490\b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe"
2⤵
- Executes dropped EXE
PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
Filesize
113KB

MD5
506708142bc63daba64f2d3ad1dcd5bf

SHA1
d30e8c7543adbc801d675068530b57d75cabb13f

SHA256
9c36a08d9e7932ff4da7b5f24e6b42c92f28685b8abe964c870e8d7670fd531a

SHA512
a6e16f0de64b1500fbb2c7974a5efd40e8768b6c133f8ef367725a5c82b3b38c300dd65fa159b4a5f15413b0843a1e37416550ec89749ec1cf5cfae73dcc01ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b26000731710b91b020a96c2c834e609f3f74d1b4c879964e1962c69975e3fbf.exe
Filesize
113KB

MD5
506708142bc63daba64f2d3ad1dcd5bf

SHA1
d30e8c7543adbc801d675068530b57d75cabb13f

SHA256
9c36a08d9e7932ff4da7b5f24e6b42c92f28685b8abe964c870e8d7670fd531a

SHA512
a6e16f0de64b1500fbb2c7974a5efd40e8768b6c133f8ef367725a5c82b3b38c300dd65fa159b4a5f15413b0843a1e37416550ec89749ec1cf5cfae73dcc01ab

Download Submit
memory/4792-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads