neshta | 6f08ed8cb5db2a58e69ec020bee500e0dc57b03a7ea548c9c9827e9702a565d0

Analysis

max time kernel
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious2389fb6b489d.exe
Size

40KB
MD5

5871912d5f8a255737aee4003c7bd87e
SHA1

fa7a080b1ff86abfecdf361009d7d37cd2493d7f
SHA256

6f08ed8cb5db2a58e69ec020bee500e0dc57b03a7ea548c9c9827e9702a565d0
SHA512

855c98bee41a53a2261146a4602c95b45db458c9c958fb931a0a50fab9670aafe5678b25fdc546651ef5dac75476396b8f0027bd26880f6c936c0765cc3419fb
SSDEEP

768:KyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJBuq:9xqjQ+P04wsmJC0

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 18 IoCs

resource	yara_rule
behavioral2/memory/5012-133-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/files/0x00060000000230a3-138.dat	family_neshta
behavioral2/memory/5012-147-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/files/0x000700000001f033-148.dat	family_neshta
behavioral2/memory/5012-160-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-222-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-223-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-224-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-225-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-226-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-227-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-228-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-229-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-230-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-231-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-232-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-234-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta
behavioral2/memory/5012-235-0x0000000000400000-0x000000000042B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	easyMalicious2389fb6b489d.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	easyMalicious2389fb6b489d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MI391D~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~3.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MIA062~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13175~1.29\MICROS~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~4.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13175~1.29\MICROS~2.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	easyMalicious2389fb6b489d.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	easyMalicious2389fb6b489d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	easyMalicious2389fb6b489d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	easyMalicious2389fb6b489d.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious2389fb6b489d.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious2389fb6b489d.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
122e7a5aaf1180d6d6cd38c113f22b6a

SHA1
93ced5c44d830efb14568e21e3803f26462ba801

SHA256
3a80a34a759ac761bfc2aec2f5517c5b2cb118bb99da0d8c0132613b4a63d9b4

SHA512
d3d885f21467bf72c7ef9735db50df793b1d88f1ae565b3704376c4792b04829f27f41aaf87ee1fd11453d2d35b55dbbef59e010f37fbbc12103b24fdb61f4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\easyMalicious2389fb6b489d.exe

Filesize
40KB

MD5
98c5beb53845d09fefeca4e30b8ec62c

SHA1
2349160af9403c0d65a9b02a7a16c05139e2ed80

SHA256
4798631d87419b2d8d2087e48a1d28b0c4299b7e32ae32582c211b7cf304ddf4

SHA512
6990ba3f01b8efe67121f9ec7a953e4b121df14917c64bc80259cf65107b8d16d1611d81525ad2ed444d57bae0f893ae274194304f4b98d6465604f1262db70d

Download Submit
memory/5012-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-226-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-222-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-223-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-147-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-227-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-228-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-230-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-231-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-232-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5012-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download