neshta | 64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d

Analysis

max time kernel
160s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe
Size

279KB
MD5

0370e29985021d83df598d5578e9c45e
SHA1

7818f3883878af9c23d3341ca08ec1d74428f48f
SHA256

64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d
SHA512

8a94b86f878a1c8bbb19c1eafac3d3d7fc99d2d3519a51b3f8cc541c05123f1edf0beb8ae98c3a12a2e879a278b77780fdd1fe001ea72f6db426dc1e1bd143a5
SSDEEP

6144:tuOdfqavhGrv5/VZg+UPjDi61Lvzg/PbIh0:9vhG75/b1UvPvUjIh0

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 1 IoCs

pid	Process
2948	64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 2948	4328	64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe	87
PID 4328 wrote to memory of 2948	4328	64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe	87
PID 4328 wrote to memory of 2948	4328	64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe	87

C:\Users\Admin\AppData\Local\Temp\64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe
"C:\Users\Admin\AppData\Local\Temp\64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\3582-490\64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe"
  2⤵
  - Executes dropped EXE
  PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe

Filesize
239KB

MD5
f12a68ed55053940cadd59ca5e3468dd

SHA1
c7cd0f79752f64078a90727d675101670d9f04eb

SHA256
75331e6da4e30717085e7d8131989241ebc492dc3ee455546f91da9dfffd2bfc

SHA512
571a7a04a2ef6ea3eff7ca053acdf5e911cef437045e8278f37101608cef28878d1cc231b1d70392cb0aa0509543bbbf4e3929ab018fd232a9d0ec7bc31a9af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\64ad8e54a3c656f727c41567c6cae451e013f0ad26b99831dcb530d07b14587d.exe

Filesize
239KB

MD5
f12a68ed55053940cadd59ca5e3468dd

SHA1
c7cd0f79752f64078a90727d675101670d9f04eb

SHA256
75331e6da4e30717085e7d8131989241ebc492dc3ee455546f91da9dfffd2bfc

SHA512
571a7a04a2ef6ea3eff7ca053acdf5e911cef437045e8278f37101608cef28878d1cc231b1d70392cb0aa0509543bbbf4e3929ab018fd232a9d0ec7bc31a9af8

Download Submit