neshta | 17c5ed15c9427a55866762ff40c4930417875fe793d9033ece1f12482e4cf659

Analysis

max time kernel
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4e46b080f9c467035ef6742f901706.exe
Size

94KB
MD5

3a4e46b080f9c467035ef6742f901706
SHA1

5826921ee02e135eb1c8e4afc2b8500511e4068a
SHA256

17c5ed15c9427a55866762ff40c4930417875fe793d9033ece1f12482e4cf659
SHA512

d5c33c9c2e1c8662ea37c1a02fb458857b21c487fc6594dbda3eb2b25d7880f6282b683f2e44684ab596e1b8d94fdf08325944e7b681fcf167037114a63fc2a2
SSDEEP

1536:kxqjQ+P04wsZLnDrCR47tlDTRc5EPMLbM/ud5tetWvVrbnp3OiT:Rr8WDrCRiPRwBM/O5rv33OiT

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	3a4e46b080f9c467035ef6742f901706.exe

Executes dropped EXE 1 IoCs

pid	Process
1132	3a4e46b080f9c467035ef6742f901706.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3a4e46b080f9c467035ef6742f901706.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~2.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MIA062~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~3.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	3a4e46b080f9c467035ef6742f901706.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	3a4e46b080f9c467035ef6742f901706.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	3a4e46b080f9c467035ef6742f901706.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	3a4e46b080f9c467035ef6742f901706.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1132	1280	3a4e46b080f9c467035ef6742f901706.exe	23
PID 1280 wrote to memory of 1132	1280	3a4e46b080f9c467035ef6742f901706.exe	23
PID 1280 wrote to memory of 1132	1280	3a4e46b080f9c467035ef6742f901706.exe	23

C:\Users\Admin\AppData\Local\Temp\3a4e46b080f9c467035ef6742f901706.exe
"C:\Users\Admin\AppData\Local\Temp\3a4e46b080f9c467035ef6742f901706.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\3582-490\3a4e46b080f9c467035ef6742f901706.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\3a4e46b080f9c467035ef6742f901706.exe"
  2⤵
  - Executes dropped EXE
  PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
149KB

MD5
9a0dee3ffe469200080919c75e5f97a0

SHA1
7d173710843b1085bbd0e318782465e111743e2d

SHA256
a0558074f0abf7057bb05d18c50f70ecd372194666208bc1bc95e206115c7795

SHA512
4373a599ad1acdf8e5a1a8a4faf5f20dfa87080f1fa211da70e553b551ee1ad8eb507afeafac0abbb2555a6d639cd13214ddea4cdb45fe6640e9263934d893dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\3a4e46b080f9c467035ef6742f901706.exe

Filesize
53KB

MD5
0587e3341014e37ae53f516ade629333

SHA1
16615dab13c8aa63c3faaf2f8bee17eec3fbe793

SHA256
6752b51cb19d5d3b5be243ceb1d3c908720b91b2e171cad55ceb9d5b37e477eb

SHA512
991c65b3a3d496c0b96529ffe6b27ee7928c460d7d0e803e3b58b7a673773ed6459efb28fc153dcf0aec88a98ce91a4e5f62482c5276062a1244470f0c928145

Download Submit
memory/1280-99-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1280-101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads