neshta | b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8

General

Target

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
Size

300KB
MD5

f99be5bb89572c27e5fd6772c447fdc1
SHA1

2061fce18c8e7e17bb435f113b6187e308bdc5f0
SHA256

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8
SHA512

4c46e54aa64eba81a9e0be8f8a32db0171d855aa308d56725eb068e0f64b74276bd84ae8eb6d7443b501c44e9b0ce374f03db625400ef89aae766573ac22d678
SSDEEP

6144:k9HgFtx1oM+dFbHjJepKAEsJxzWmZJBWmZJG:fFkjbHjJ+2sPvs

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

pid process

668 b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

pid	process
668	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

Drops file in Windows directory 1 IoCs

Processes:

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

description ioc process

File opened for modification C:\Windows\svchost.com b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

Modifies registry class 1 IoCs

Processes:

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

description	pid	process	target process
PID 4696 wrote to memory of 668	4696	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
PID 4696 wrote to memory of 668	4696	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
PID 4696 wrote to memory of 668	4696	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe	b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe

C:\Users\Admin\AppData\Local\Temp\b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
"C:\Users\Admin\AppData\Local\Temp\b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Local\Temp\3582-490\b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe"
2⤵
- Executes dropped EXE
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
Filesize
260KB

MD5
da727c21545a5f14b1b66c1cd0a43864

SHA1
ad2d97f3333aa9cfc09f3b0126341d323d0c6911

SHA256
6059875cc4c6aaf5f5d14522c83b19465c9ff6e110465fd0a7e4e3a9e7b95d96

SHA512
41215b4e333727f5d80920e0b57a100550061b2a8b345e16f9fc9ab62c3b71a31c34f40160b277878089a2de25818a3601880f53270d4c8724657bd0673da19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b1dc0f68ec414d66e35cb546aa0c84d552b8e659092261493a5e6ee00bdbc1d8.exe
Filesize
260KB

MD5
da727c21545a5f14b1b66c1cd0a43864

SHA1
ad2d97f3333aa9cfc09f3b0126341d323d0c6911

SHA256
6059875cc4c6aaf5f5d14522c83b19465c9ff6e110465fd0a7e4e3a9e7b95d96

SHA512
41215b4e333727f5d80920e0b57a100550061b2a8b345e16f9fc9ab62c3b71a31c34f40160b277878089a2de25818a3601880f53270d4c8724657bd0673da19d

Download Submit
memory/668-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads