neshta | 81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8

General

Target

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
Size

460KB
MD5

d8d4b212198b30c95fcf138c34ec7a5e
SHA1

edd8e5c142f62e1f195380184593ef353b1d447b
SHA256

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8
SHA512

d8eb409287006518d8c4116a6479a8243b345ec8be34b2fcebfde85e1724487a94bd8fe4c7e68884a7ec01d483ad5f283517d543f203abf73cb031c0b5280a6d
SSDEEP

6144:k9prUR/P3RLw/GzrS+Rb+c8JcoBQ+i4NOEhBeBhyboy:ogR/PBc/GzrVb+/5GC7hBeBhyx

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

pid process

1220 81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

pid	process
1220	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\NOTIFI~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\ELEVAT~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\PWAHEL~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

Drops file in Windows directory 1 IoCs

Processes:

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

description ioc process

File opened for modification C:\Windows\svchost.com 81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

Modifies registry class 1 IoCs

Processes:

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

description	pid	process	target process
PID 1156 wrote to memory of 1220	1156	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
PID 1156 wrote to memory of 1220	1156	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
PID 1156 wrote to memory of 1220	1156	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe	81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe

C:\Users\Admin\AppData\Local\Temp\81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
"C:\Users\Admin\AppData\Local\Temp\81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\3582-490\81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe"
2⤵
- Executes dropped EXE
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
Filesize
420KB

MD5
a562a78ca45eba49d3b12bf4f3db498e

SHA1
cc44144a4f1e964cdb87c9e4e96991d3700acdd0

SHA256
981fc53cadbb22cd7a86956db589b6174fac03a86f7665a753d768e7577f7de7

SHA512
62c2e53a6a140688e043a72fa0caa3df345c412af2c85e70ed2ca5ba46c1ab42983f94c121ade64bef4e8bb132c248f69013e0d56af5b98d2b879dcf9987297a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\81eeabb0b173f319befcc33187d62053509d7e96fb13f51aaef4f1ef841317b8.exe
Filesize
420KB

MD5
a562a78ca45eba49d3b12bf4f3db498e

SHA1
cc44144a4f1e964cdb87c9e4e96991d3700acdd0

SHA256
981fc53cadbb22cd7a86956db589b6174fac03a86f7665a753d768e7577f7de7

SHA512
62c2e53a6a140688e043a72fa0caa3df345c412af2c85e70ed2ca5ba46c1ab42983f94c121ade64bef4e8bb132c248f69013e0d56af5b98d2b879dcf9987297a

Download Submit
memory/1220-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads