neshta | 7b0673e022585bf4aa208b1e3d215549842fabe78dfeaf9ae0a074a6c05c07fd

General

Target

2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
Size

307KB
MD5

918a5b890f6b160d75030ca89cc5117b
SHA1

be0bfac0f56a1e1ce05e49d006d9c7f694983aff
SHA256

7b0673e022585bf4aa208b1e3d215549842fabe78dfeaf9ae0a074a6c05c07fd
SHA512

a74ea605b7e79ca092db88569ad8b6e2f65da01077efea1defdeb9bedfaf00a05508d7a7ef6cd135e76f255388b0cb1db95aa8ca679143eccebcc1490e8e8afc
SSDEEP

6144:k9eS63VE6F/M4qE15NENn4F1zZeFHi2WGP4rKcO66HKwYmI:p5RqE1Ta4FJQFfWpK7HKZF

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MICROS~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MICROS~2.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MIA062~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13171~1.37\MICROS~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MI391D~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13171~1.37\MICROS~3.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

Drops file in Windows directory 1 IoCs

Processes:

2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

description ioc process

File opened for modification C:\Windows\svchost.com 2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

Modifies registry class 1 IoCs

Processes:

2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe

C:\Users\Admin\AppData\Local\Temp\2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2023-02-08_918a5b890f6b160d75030ca89cc5117b_neshta_revil_sodinokibi.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4336