neshta | ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225

General

Target

ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
Size

585KB
MD5

168f3f2004f8f3b24125e4c86745266a
SHA1

47935ea5be30bc9e9f5b9f758c21592aa0d91bea
SHA256

ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225
SHA512

76001b796f6b55923018281a5aae36f9493b8676dfc9f3aff3a187bde810db7d0064ce686e446d861311fff616c7fd1da602274a5eb7d09444248f785289ba0a
SSDEEP

6144:k9qfjZXluQA/qNgSr5oK4c276VcQaNWKZcdhv:fjTVxNgSFD+VNWKZQv

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

Drops file in Windows directory 1 IoCs

Processes:

ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

description ioc process

File opened for modification C:\Windows\svchost.com ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

Modifies registry class 1 IoCs

Processes:

ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe

C:\Users\Admin\AppData\Local\Temp\ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe
"C:\Users\Admin\AppData\Local\Temp\ac94e33d78409f259ad58553940c9dfe2f40c2087cd5837d6f5b763c3af31225.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:516