neshta | 98191390feded2c9b9bea4acfc3782067624502a702e4929ab3967e1e5cc47ae

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-04-2023 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3131321312313.exe
Size

15.0MB
MD5

504211aeace6ca8f70cc00a3215bda05
SHA1

502d5280f10f867627ed24e5dc297c3a5badcc28
SHA256

98191390feded2c9b9bea4acfc3782067624502a702e4929ab3967e1e5cc47ae
SHA512

cec60bfe8c941b18d32f6493ab1c2b784143e39577e4e5e33ecb75ba8412ff34f5e49da880c5a8482e4b30b7ed6ff095d160bf28b4866fdd1422bf2b224c6501
SSDEEP

49152:dz1B3kbWTQmYOXQB8eBVhTBUenNT9xaI/Ak3OQaa1ePdql7p3ib/fo1VOaf3sOk7:B

Score

10^/10

neshta njrat hacked persistence ransomware spyware trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

there-carol.at.ply.gg:5855

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Detect Neshta payload 9 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
behavioral1/memory/772-74-0x0000000001160000-0x0000000001C9E000-memory.dmp	family_neshta
\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta
\Users\Admin\AppData\Local\Temp\Dangerous.exe	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

paylod.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 3 IoCs

Processes:

paylod.exeDangerous.exePayload.exe

pid process

1804 paylod.exe
772 Dangerous.exe
1260 Payload.exe

pid	process
1804	paylod.exe
772	Dangerous.exe
1260	Payload.exe

Loads dropped DLL 10 IoCs

Processes:

3131321312313.exeWerFault.exepaylod.exe

pid	process
316	3131321312313.exe
316	3131321312313.exe
316	3131321312313.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1732	WerFault.exe
1804	paylod.exe
1804	paylod.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

paylod.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	paylod.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Payload.exe

description ioc process

File opened (read-only) \??\D: Payload.exe

description	ioc	process
File opened (read-only)	\??\D:	Payload.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Payload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ù„Ù‚Ø·Ø© Ø§Ù„Ø´Ø§Ø´Ø© 2023-02-28 141231.png"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1732 772 WerFault.exe Dangerous.exe

pid	pid_target	process	target process
1732	772	WerFault.exe	Dangerous.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Dangerous.exePayload.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	772	Dangerous.exe
Token: SeDebugPrivilege	1260	Payload.exe
Token: 33	1260	Payload.exe
Token: SeIncBasePriorityPrivilege	1260	Payload.exe
Token: 33	1260	Payload.exe
Token: SeIncBasePriorityPrivilege	1260	Payload.exe
Token: 33	1260	Payload.exe
Token: SeIncBasePriorityPrivilege	1260	Payload.exe
Token: 33	1996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1996	AUDIODG.EXE
Token: 33	1996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1996	AUDIODG.EXE
Token: 33	1260	Payload.exe
Token: SeIncBasePriorityPrivilege	1260	Payload.exe
Token: 33	1260	Payload.exe
Token: SeIncBasePriorityPrivilege	1260	Payload.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Payload.exe

pid process

1260 Payload.exe
1260 Payload.exe

pid	process
1260	Payload.exe
1260	Payload.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3131321312313.exeDangerous.exepaylod.exe

description	pid	process	target process
PID 316 wrote to memory of 1804	316	3131321312313.exe	paylod.exe
PID 316 wrote to memory of 1804	316	3131321312313.exe	paylod.exe
PID 316 wrote to memory of 1804	316	3131321312313.exe	paylod.exe
PID 316 wrote to memory of 1804	316	3131321312313.exe	paylod.exe
PID 316 wrote to memory of 772	316	3131321312313.exe	Dangerous.exe
PID 316 wrote to memory of 772	316	3131321312313.exe	Dangerous.exe
PID 316 wrote to memory of 772	316	3131321312313.exe	Dangerous.exe
PID 316 wrote to memory of 772	316	3131321312313.exe	Dangerous.exe
PID 772 wrote to memory of 1732	772	Dangerous.exe	WerFault.exe
PID 772 wrote to memory of 1732	772	Dangerous.exe	WerFault.exe
PID 772 wrote to memory of 1732	772	Dangerous.exe	WerFault.exe
PID 772 wrote to memory of 1732	772	Dangerous.exe	WerFault.exe
PID 1804 wrote to memory of 1260	1804	paylod.exe	Payload.exe
PID 1804 wrote to memory of 1260	1804	paylod.exe	Payload.exe
PID 1804 wrote to memory of 1260	1804	paylod.exe	Payload.exe
PID 1804 wrote to memory of 1260	1804	paylod.exe	Payload.exe
PID 1804 wrote to memory of 1748	1804	paylod.exe	attrib.exe
PID 1804 wrote to memory of 1748	1804	paylod.exe	attrib.exe
PID 1804 wrote to memory of 1748	1804	paylod.exe	attrib.exe
PID 1804 wrote to memory of 1748	1804	paylod.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1748 attrib.exe

pid	process
1748	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3131321312313.exe
"C:\Users\Admin\AppData\Local\Temp\3131321312313.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1260

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
3⤵
- Views/modifies file attributes
PID:1748

C:\Users\Admin\AppData\Local\Temp\Dangerous.exe
"C:\Users\Admin\AppData\Local\Temp\Dangerous.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 568
3⤵
- Loads dropped DLL
- Program crash
PID:1732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
4da105a00aa3338b474c3d80e4579fd9

SHA1
fadc5d5a4197ea658bba806232a9a26db8d28ef2

SHA256
b2da3b8dab567a0d640895066ddf8f78b68201454191d82494b5f328cf90b5c9

SHA512
5b43cab2f23f64bb29a991bf2c7e63fdda69533a47d18ec11fae87ef34e49fd09525f769463b80dadd5303bcc3f09b640e3b10c40d351895592943c7a461c224

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1018B

MD5
aef56b855332295d13495145381e015e

SHA1
7829444d8b4aa3d88539816e9b30a228bf7fd3d5

SHA256
d68f7b406376e6e59de28b14069bd591f88c4f20082e441cc4d46a8aa1a7f41b

SHA512
54d3e4ef45314f96c814a3621a80bef76d0bb73a09d7e806cbcf970ee471b4f05e0149f97f1dd60c7855c91e4936aec5abd25a601c17aac86047577a0bf5c280

Download Submit
\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
\Users\Admin\AppData\Local\Temp\Dangerous.exe
Filesize
11.2MB

MD5
fb40ba1b494af4057ab259bba5f33fe6

SHA1
b872393a07d3949947a41871132b736c00c771bb

SHA256
40a82c50b9875698551a2f6dd4f71fc23b4a04eeec655a4746111279ef57d2ac

SHA512
f2feec8be6578aa273efd363ae1eba0862fc240a441fd8d1f14942fda241e34896e7b76179d7132af97f18acdf13afd4032f1874a9b20cc04120706beff9e804

Download Submit
\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
\Users\Admin\AppData\Local\Temp\Payload.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
7f97b509846ff703d99d402cf6a54816

SHA1
a79540168d52aa3a4fa2b45663e70533e7d888e1

SHA256
a97590f53e26c448decda9f204433399f15fa85bd0a582c79cf1ff7c138dfcbe

SHA512
eacc2648e9a9cc55477b0bfb2372c5ee7782debf68ef59406a4bca2c5a4c9e2415b81d33ea37bae56b1b7d6626e9e371b788497b9cea2f8ea82fe55dbb77ccce

Download Submit
memory/316-68-0x0000000000B70000-0x0000000000BB0000-memory.dmp

Filesize
256KB

Download
memory/772-79-0x0000000000C20000-0x0000000000C60000-memory.dmp

Filesize
256KB

Download
memory/772-74-0x0000000001160000-0x0000000001C9E000-memory.dmp

Filesize
11.2MB

Download
memory/1260-96-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download
memory/1260-97-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

Filesize
256KB

Download
memory/1804-81-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download