neshta | bb741e7ac48085e964e7fdfbd19b97a7376712b09c540a95c9a5f1872034908b

Analysis

max time kernel
113s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2023, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0tMUNlnakQsCKNd.exe
Size

864KB
MD5

7d424fcd2cfd26574af4acdb87cbe15a
SHA1

d1f2636c0a0a493cbc7522350de7abef29ae4e9e
SHA256

bb741e7ac48085e964e7fdfbd19b97a7376712b09c540a95c9a5f1872034908b
SHA512

5f78ddb361164d642b041db6d26c727519840c28a7f34e9ae8ec9ab3613981717cfec36ab509c04f6fe8b013f25aed8ac7864fe8ab0ff7fd33dc991d1ef9a820
SSDEEP

24576:bUlRu4OyqGUL8ANdsS8hMrVl0nhwcnBH:bUlRu4NqGo8ANuS8hMrr09

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 6 IoCs

resource	yara_rule
behavioral2/memory/3356-140-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3356-141-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3356-143-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3356-153-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3356-271-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3356-273-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	0tMUNlnakQsCKNd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	0tMUNlnakQsCKNd.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0tMUNlnakQsCKNd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4720 set thread context of 3356	4720	0tMUNlnakQsCKNd.exe	90

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MIA062~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MICROS~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MI391D~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MICROS~3.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13173~1.45\MICROS~1.EXE	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	0tMUNlnakQsCKNd.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	0tMUNlnakQsCKNd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	0tMUNlnakQsCKNd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0tMUNlnakQsCKNd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4720	0tMUNlnakQsCKNd.exe
4720	0tMUNlnakQsCKNd.exe
4720	0tMUNlnakQsCKNd.exe
4720	0tMUNlnakQsCKNd.exe
4720	0tMUNlnakQsCKNd.exe
208	powershell.exe
208	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	0tMUNlnakQsCKNd.exe
Token: SeDebugPrivilege	208	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 208	4720	0tMUNlnakQsCKNd.exe	88
PID 4720 wrote to memory of 208	4720	0tMUNlnakQsCKNd.exe	88
PID 4720 wrote to memory of 208	4720	0tMUNlnakQsCKNd.exe	88
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90
PID 4720 wrote to memory of 3356	4720	0tMUNlnakQsCKNd.exe	90

C:\Users\Admin\AppData\Local\Temp\0tMUNlnakQsCKNd.exe
"C:\Users\Admin\AppData\Local\Temp\0tMUNlnakQsCKNd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0tMUNlnakQsCKNd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Users\Admin\AppData\Local\Temp\0tMUNlnakQsCKNd.exe
  "C:\Users\Admin\AppData\Local\Temp\0tMUNlnakQsCKNd.exe"
  2⤵
  - Checks computer location settings
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:3356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
5d78e8f0ace7d14f7a79f05335a9a361

SHA1
e8a375344104bc78ad9145b24e009a71d3acedc3

SHA256
9d1ab4e09926ed56abad033d18dbd1de12a7dca6e117b50c93618cc0b9067e64

SHA512
91f5015bbe287aa111edc2741d283394807d0ee60c963ecf2de8cb8ce728108fb8706fc6d06e0d498088df1280e9c9098879034d2d5db003b28d1efded15cd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\0tMUNlnakQsCKNd.exe

Filesize
824KB

MD5
323918444eecaccd73e5a79ad0733d9a

SHA1
d673223b8492119049c3a6f90085c20bfc186325

SHA256
dd6d088291d26929238d47fd7f2ef3d9dec778b9659082c4bf84656f7a0d79a8

SHA512
f1a91518803e468b9c9e3c90e13aee9d5b6ab3eb06f5926a16fdeb5e003769b10b1d9115c74db69420f687753976c01be10c8be48b0ee83b6412e71a2533a501

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_geih4cwh.cm5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/208-204-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/208-209-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/208-260-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

Filesize
32KB

Download
memory/208-259-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/208-254-0x0000000007D00000-0x0000000007D0E000-memory.dmp

Filesize
56KB

Download
memory/208-228-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/208-210-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

Filesize
64KB

Download
memory/208-144-0x0000000002F00000-0x0000000002F36000-memory.dmp

Filesize
216KB

Download
memory/208-146-0x00000000058F0000-0x0000000005F18000-memory.dmp

Filesize
6.2MB

Download
memory/208-202-0x0000000008120000-0x000000000879A000-memory.dmp

Filesize
6.5MB

Download
memory/208-199-0x0000000006D70000-0x0000000006D8E000-memory.dmp

Filesize
120KB

Download
memory/208-156-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/208-158-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/208-154-0x00000000057F0000-0x0000000005812000-memory.dmp

Filesize
136KB

Download
memory/208-160-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/208-162-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/208-189-0x000000006FCF0000-0x000000006FD3C000-memory.dmp

Filesize
304KB

Download
memory/208-172-0x00000000067D0000-0x00000000067EE000-memory.dmp

Filesize
120KB

Download
memory/208-188-0x0000000006D90000-0x0000000006DC2000-memory.dmp

Filesize
200KB

Download
memory/208-187-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/3356-271-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3356-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3356-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3356-143-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3356-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3356-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4720-136-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4720-135-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/4720-133-0x00000000007A0000-0x000000000087E000-memory.dmp

Filesize
888KB

Download
memory/4720-139-0x0000000008270000-0x000000000830C000-memory.dmp

Filesize
624KB

Download
memory/4720-138-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4720-134-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/4720-137-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download