neshta | bbe9f9cc65b80eaa6736e73ee6b0a34d0481996a498c602c04ca8e54083aa85d

General

Target

82cd3c3dd9320cd4721fc74843541dc9.exe
Size

190KB
MD5

82cd3c3dd9320cd4721fc74843541dc9
SHA1

0d85afbb12e2f25b87fcef6cf66f1afc134f48b8
SHA256

bbe9f9cc65b80eaa6736e73ee6b0a34d0481996a498c602c04ca8e54083aa85d
SHA512

c9d4a7c6af536ede6edbcb002758bf8595149da7dd24caedc7341cf9379b4b14ed9998978c2688f90ce689b0d81bde22f9b23cf155bfa1e918a416fd0ac90783
SSDEEP

3072:sr85C9UXfyzaRvqGsXkXSaKZ+5PtP3m3qTVj:k9mXqzaAhXkXrPtO6Td

Score

10^/10

Malware Config

Signatures

Detect Neshta payload 14 IoCs

resource	yara_rule
behavioral2/memory/3452-1-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-13-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-14-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-15-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-16-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-17-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-18-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-19-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-20-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-21-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-22-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-23-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-24-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3452-25-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	82cd3c3dd9320cd4721fc74843541dc9.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	82cd3c3dd9320cd4721fc74843541dc9.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	82cd3c3dd9320cd4721fc74843541dc9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	82cd3c3dd9320cd4721fc74843541dc9.exe

C:\Users\Admin\AppData\Local\Temp\82cd3c3dd9320cd4721fc74843541dc9.exe
"C:\Users\Admin\AppData\Local\Temp\82cd3c3dd9320cd4721fc74843541dc9.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\82cd3c3dd9320cd4721fc74843541dc9.exe

Filesize
150KB

MD5
19af77f62aa8f966206595aad3df479a

SHA1
32471a103aa05f406cc1e0b7755d9a7abf3ec0eb

SHA256
1103b766bafeb16a6591b60a0f5bc65169967ea9bc18bd41635ee7ef550904bd

SHA512
30fe5307eccb8e3808d062aa2ad5f3ca7b31315502fccd5fb5cb85223090a959841310a93712b2b973b0d2fa6a2971225eb5b2b6b4b23448c608253e967ed841

Download Submit
memory/3452-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3452-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads