neshta | 816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9

General

Target

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
Size

258KB
MD5

4f0b50784beb9a1dd506b2bd8dada113
SHA1

51234eafca02247fef4115a1a6fef369bc872ebb
SHA256

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9
SHA512

ed8dd0f77c5e96c4d42aa15481250a710f430f006b7980ef6b2437fcf94503aeaa40e4bf34fc81e53cfbd79465ce41468bc8060af564a2dbb45744ae39d34258
SSDEEP

6144:k95xk7oooo1C6wmAp7d3rqC90zQyVc6eON2cVm:6xk7Xozo++5zD9eON2co

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

pid process

2320 816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

pid	process
2320	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

Drops file in Windows directory 1 IoCs

Processes:

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

description ioc process

File opened for modification C:\Windows\svchost.com 816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

Modifies registry class 1 IoCs

Processes:

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

description	pid	process	target process
PID 1724 wrote to memory of 2320	1724	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
PID 1724 wrote to memory of 2320	1724	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
PID 1724 wrote to memory of 2320	1724	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe	816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe

C:\Users\Admin\AppData\Local\Temp\816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
"C:\Users\Admin\AppData\Local\Temp\816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe"
2⤵
- Executes dropped EXE
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
Filesize
217KB

MD5
7ac7ed1a942ea8ac8ce877e1ac2a22ae

SHA1
5bf847fa6e2d0fefd2ee20ee34151412c30ea1d7

SHA256
3f8bd112ea17b2e8d25601e3da5c55af2f3685f56a3c329c06bc45a23ca8a38b

SHA512
5c99cfc103a952d9484be8c62e6cf685e93160dc7f06da7f0b89a3832664e8f80049b3114860514e59bb9486924e04812de0c8f0c514c7fddc306fc27806b288

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\816804a1bc504b480d67b0471048f6af37eb4ed66942e736dffd62d4ee478ba9.exe
Filesize
217KB

MD5
7ac7ed1a942ea8ac8ce877e1ac2a22ae

SHA1
5bf847fa6e2d0fefd2ee20ee34151412c30ea1d7

SHA256
3f8bd112ea17b2e8d25601e3da5c55af2f3685f56a3c329c06bc45a23ca8a38b

SHA512
5c99cfc103a952d9484be8c62e6cf685e93160dc7f06da7f0b89a3832664e8f80049b3114860514e59bb9486924e04812de0c8f0c514c7fddc306fc27806b288

Download Submit
memory/2320-132-0x0000000000000000-mapping.dmp

Download
memory/2320-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads