neshta | ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee

General

Target

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
Size

1.4MB
MD5

7e322e66f5ede8f660d838a10b102969
SHA1

f2ee690d4af02a3f7a3a0419417bae439905eeb5
SHA256

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee
SHA512

d67447969ded5918bc20cf3a7ff97a8965408c3f00262b23cad5e09d094d875217ff65968cec4d452aab6aea9da9d7608c07f5e75ba31fcb619e45d5edf71850
SSDEEP

24576:GIG3nvPkK0PB3CM+5M05GKvvoiRrfVdLbMUkB8AL1Lcv63mjSvQp0KxYgpN0SZ/u:4nHkXvHAGWrIIvUs7TR1OhLrd

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

pid process

3316 ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

pid	process
3316	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\COOKIE~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

Drops file in Windows directory 1 IoCs

Processes:

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

description ioc process

File opened for modification C:\Windows\svchost.com ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

Modifies registry class 1 IoCs

Processes:

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

description	pid	process	target process
PID 4720 wrote to memory of 3316	4720	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
PID 4720 wrote to memory of 3316	4720	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
PID 4720 wrote to memory of 3316	4720	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe	ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe

C:\Users\Admin\AppData\Local\Temp\ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
"C:\Users\Admin\AppData\Local\Temp\ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\3582-490\ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe"
2⤵
- Executes dropped EXE
PID:3316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
Filesize
1.4MB

MD5
0d7e27c0fb721a28549494bbb507e3e1

SHA1
f8b7932f308a70d49bd43193b55aae6e2bd8fb54

SHA256
9f4463851381b252c4667b9ad72dc7d02bb4a1901a1d821d11a563de2357a8f9

SHA512
0d3e169db1bf72ca4217982234c5a9508aa1148a362d8f4be01ce8d56b4a007a98cb40014fbdf921e561df80ca6c62886aaade81fa11859940ffe3e7025edae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ad62a32a7d961c8ff2ec371c52acab923d5816736010b161ed68201bcf2572ee.exe
Filesize
1.4MB

MD5
0d7e27c0fb721a28549494bbb507e3e1

SHA1
f8b7932f308a70d49bd43193b55aae6e2bd8fb54

SHA256
9f4463851381b252c4667b9ad72dc7d02bb4a1901a1d821d11a563de2357a8f9

SHA512
0d3e169db1bf72ca4217982234c5a9508aa1148a362d8f4be01ce8d56b4a007a98cb40014fbdf921e561df80ca6c62886aaade81fa11859940ffe3e7025edae1

Download Submit
memory/3316-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads