neshta | 4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae

General

Target

4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
Size

334KB
MD5

03b58e0c6584c295ab78ca22112431e0
SHA1

d1d61b3d2f03a75fa425abd4652f5cc95e68ffcb
SHA256

4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae
SHA512

a5ff5654e2c3947b3d27c84c03902f07b2ba3b5e9e1745d3ffdceb1d349848dd0c350db7ad1b6ab8ebcac401537570a651a78c1e8df71a31bb88426df2894da5
SSDEEP

6144:k9bFzdSc7HqVdLNLko2xyPmwQoSBJVc6/2eNvsKPdE:azEKHadpLgyP6oS9t2eNvseK

Score

10^/10

neshta ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 3 IoCs

pid	Process
2676	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
220	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe
4680	DesktopLayer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e1b-133.dat	upx
behavioral2/files/0x0006000000022e1b-134.dat	upx
behavioral2/memory/220-138-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/220-142-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4680-144-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2676-145-0x0000000000400000-0x00000000004C3000-memory.dmp	upx
behavioral2/memory/2676-146-0x0000000000400000-0x00000000004C3000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px273F.tmp	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F08E1150-7632-11ED-BF5F-7EADEF22860F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4680	DesktopLayer.exe
4680	DesktopLayer.exe
4680	DesktopLayer.exe
4680	DesktopLayer.exe
4680	DesktopLayer.exe
4680	DesktopLayer.exe
4680	DesktopLayer.exe
4680	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
776	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2676	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
2676	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
2676	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
776	iexplore.exe
776	iexplore.exe
3476	IEXPLORE.EXE
3476	IEXPLORE.EXE
3476	IEXPLORE.EXE
3476	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2676	1476	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe	82
PID 1476 wrote to memory of 2676	1476	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe	82
PID 1476 wrote to memory of 2676	1476	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe	82
PID 2676 wrote to memory of 220	2676	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe	83
PID 2676 wrote to memory of 220	2676	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe	83
PID 2676 wrote to memory of 220	2676	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe	83
PID 220 wrote to memory of 4680	220	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe	84
PID 220 wrote to memory of 4680	220	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe	84
PID 220 wrote to memory of 4680	220	4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe	84
PID 4680 wrote to memory of 776	4680	DesktopLayer.exe	85
PID 4680 wrote to memory of 776	4680	DesktopLayer.exe	85
PID 776 wrote to memory of 3476	776	iexplore.exe	86
PID 776 wrote to memory of 3476	776	iexplore.exe	86
PID 776 wrote to memory of 3476	776	iexplore.exe	86

C:\Users\Admin\AppData\Local\Temp\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
"C:\Users\Admin\AppData\Local\Temp\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\3582-490\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\3582-490\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4680
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:776 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe

Filesize
294KB

MD5
2916a56fedb0f824176536b2393390b1

SHA1
b05a6f980d6be9cea6e8fed3632743c5b573ecbc

SHA256
7db951882ca88e2f32202e1dc652e69d9bef58e144f5dab743f6d29673e9fc4e

SHA512
ac74ec8b40f02b59408f03025559f1262635b70ec3ebf331c591c0f394cf021a5b6577d183b9d20c1f7e8eac899138aadd91802889d2a77e6696913b2b6a0f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaae.exe

Filesize
294KB

MD5
2916a56fedb0f824176536b2393390b1

SHA1
b05a6f980d6be9cea6e8fed3632743c5b573ecbc

SHA256
7db951882ca88e2f32202e1dc652e69d9bef58e144f5dab743f6d29673e9fc4e

SHA512
ac74ec8b40f02b59408f03025559f1262635b70ec3ebf331c591c0f394cf021a5b6577d183b9d20c1f7e8eac899138aadd91802889d2a77e6696913b2b6a0f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\4510d89b0202d10ef5278296812c1d41c78ee0036819b46b7597325c014ddaaeSrv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
memory/220-138-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/220-142-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2676-145-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2676-146-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4680-144-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads