neshta | 1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d

General

Target

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
Size

340KB
MD5

42aea131431fd7f6a33c3a105da8c150
SHA1

4b8248bbcbdcd6daafd62447c8904ec0d3812bb5
SHA256

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d
SHA512

c9da91a4549c0086bd1f96fe55450f851eb238c3a5b3b678c795cf84b9a9c55c537989d0f9c703be0edcd78d71096baa8cbb7c4fb65977d2e2a62519d1a58554
SSDEEP

6144:k9h6qCoGSbH33BVGxYxZFRhw0XZNQ5GHeMcXKKs+eV4z4wY4ZPg0EPGMgN/zx:2C/STh8xY3h3Jm5Gq6oeV44T4C0EPXgb

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

pid process

4312 1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

pid	process
4312	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

Drops file in Windows directory 1 IoCs

Processes:

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

description ioc process

File opened for modification C:\Windows\svchost.com 1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

Modifies registry class 1 IoCs

Processes:

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

description	pid	process	target process
PID 1560 wrote to memory of 4312	1560	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
PID 1560 wrote to memory of 4312	1560	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
PID 1560 wrote to memory of 4312	1560	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe	1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe

C:\Users\Admin\AppData\Local\Temp\1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
"C:\Users\Admin\AppData\Local\Temp\1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\3582-490\1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe"
2⤵
- Executes dropped EXE
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
Filesize
299KB

MD5
8547bc43fe706ceb136840691b9742c6

SHA1
15360f6d2c6816d3e98f48bc0a0d88cb397fa5f2

SHA256
94978dd8d294228ef57ebba417427050f2686b7ba813a532c00b486e25b88a4c

SHA512
fe0533adee4372a5ca8c74fd256582e8fe2e9bdac5c1e4cfa575b9d1b04d475985bd7bc91fd5d2522b20aff493835a4677201aa79962222c63f9ddb785bca9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\1e0e94d942640944f0495a497585e041e06fc9b48febee9a9e0617c34283a46d.exe
Filesize
299KB

MD5
8547bc43fe706ceb136840691b9742c6

SHA1
15360f6d2c6816d3e98f48bc0a0d88cb397fa5f2

SHA256
94978dd8d294228ef57ebba417427050f2686b7ba813a532c00b486e25b88a4c

SHA512
fe0533adee4372a5ca8c74fd256582e8fe2e9bdac5c1e4cfa575b9d1b04d475985bd7bc91fd5d2522b20aff493835a4677201aa79962222c63f9ddb785bca9f9

Download Submit
memory/4312-132-0x0000000000000000-mapping.dmp

Download
memory/4312-135-0x0000000001000000-0x00000000010AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads