Analysis Overview
SHA256
1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0
Threat Level: Known bad
The file 1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0 was found to be: Known bad.
Malicious Activity Summary
Neshta
Neshta family
Detect Neshta payload
Modifies system executable filetype association
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:57
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:57
Reported
2024-04-07 19:00
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe
"C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe
| MD5 | c6c984ed90320b90304d96eb7d580f50 |
| SHA1 | 43f813c2ec923e040ae4d2968e51ba739b1a6e9b |
| SHA256 | 3bbccbfdc08f0ff8301a8826e09d1fc056b9b86b2116ea42d46365ffead289dc |
| SHA512 | 4833aae0a354b933e5553ff3cb7085292a1864e6d913e592f613922b70dd1500313ece1f07de1839adb85a8c2c2041f6d731aa419f90e1e2cd80ab8110c1f5db |
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | cf6c595d3e5e9667667af096762fd9c4 |
| SHA1 | 9bb44da8d7f6457099cb56e4f7d1026963dce7ce |
| SHA256 | 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d |
| SHA512 | ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80 |
\Users\Admin\AppData\Local\Temp\nst4A5B.tmp\System.dll
| MD5 | 82f7926fd7d12e3eb8ed7b5232bcf956 |
| SHA1 | 6065fc921b742cc86c77ce2533fc1d17359eb45e |
| SHA256 | 604b5e75f43ffae8f172018cdd8f136392d9c52ae0c100d27ef537bb2dfb3984 |
| SHA512 | b31a63ebbda8f147c32d8336c5ecde8c5261ad5526b01926d7cd74b7a9a1348da56e180e53d20e1e300daca76f9511f24d6e695550b705b7650c239e5b6e76c7 |
\Users\Admin\AppData\Local\Temp\nst4A5B.tmp\InstallOptions.dll
| MD5 | 271b5d1043c4402f08ddeae383f6979c |
| SHA1 | 2b88c58aa27bfb4979239579cd65d4c6c67a5295 |
| SHA256 | 90485cb175686c3e97b32ebf99daa939c1a6f46e7031f71b72b81cd114fd5b51 |
| SHA512 | f8bd4b316726f05647162bb52a2aeb4a6cf5ee976fdb7817a3d25b868b83fb482c38d078f01d3a629afb0d6fa6ce409b2b3404398563137e22010074f529c11b |
C:\Users\Admin\AppData\Local\Temp\nst4A5B.tmp\ioSpecial.ini
| MD5 | 55c76ac60ef055ac3c3804dacc1163db |
| SHA1 | da256338b3c7eaa4204bea3ea40d87d0e8c7ea79 |
| SHA256 | 87c4c3f7264ec3902a070a4275d6edc9fa8addf45b4d60b49668a02fa75db590 |
| SHA512 | a487a0edc02ea96d5069484efdd54913a507d9c3070ee92549cb5d794e4a2b50265a593662308ac478f0bdf110eca5bd7b0e015cf263de47f2114f8b9b9462a5 |
C:\Users\Admin\AppData\Local\Temp\nst4A5B.tmp\ioSpecial.ini
| MD5 | dde662527686b5faa195921dba53d12e |
| SHA1 | 38262bf28e29280034315a04de7a4cbf20db76d4 |
| SHA256 | ecf1a33163b1b36dcdeaba3b43ef86eeec97157e3ad36af005f4522ea056a397 |
| SHA512 | 3dc555b36af62aab3ef3add589fe8756435e11b9a03c924ceb06f58c8e7a69f2a7c56975cff5160690b72cb7aa6e277ed28af269d962d810eb6d4cfff95ef057 |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
memory/2004-168-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2004-169-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2004-170-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2004-171-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2004-173-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:57
Reported
2024-04-07 19:00
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe
"C:\Users\Admin\AppData\Local\Temp\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\1798d9304019390a7af6fc7b0d2db331e758230add1847d889dbcfd1bdec8be0.exe
| MD5 | c6c984ed90320b90304d96eb7d580f50 |
| SHA1 | 43f813c2ec923e040ae4d2968e51ba739b1a6e9b |
| SHA256 | 3bbccbfdc08f0ff8301a8826e09d1fc056b9b86b2116ea42d46365ffead289dc |
| SHA512 | 4833aae0a354b933e5553ff3cb7085292a1864e6d913e592f613922b70dd1500313ece1f07de1839adb85a8c2c2041f6d731aa419f90e1e2cd80ab8110c1f5db |
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\System.dll
| MD5 | 82f7926fd7d12e3eb8ed7b5232bcf956 |
| SHA1 | 6065fc921b742cc86c77ce2533fc1d17359eb45e |
| SHA256 | 604b5e75f43ffae8f172018cdd8f136392d9c52ae0c100d27ef537bb2dfb3984 |
| SHA512 | b31a63ebbda8f147c32d8336c5ecde8c5261ad5526b01926d7cd74b7a9a1348da56e180e53d20e1e300daca76f9511f24d6e695550b705b7650c239e5b6e76c7 |
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\ioSpecial.ini
| MD5 | 967dcf54b0a6566301bcfc82fabbdf94 |
| SHA1 | 098623c4f0a30f2cacda058c6d3efc8610ba4894 |
| SHA256 | 5fc876886108129233c0056b2dfc32e5a15ed81712d18627f48e1615b55d0c54 |
| SHA512 | 99f6b80c4f404059b1fc37f5aa0d0e40d8f3547bc597be4c8c91c7a10429fb89a4ea83061146bc393e6203436cc4044fcee0ae6389a573c292d90ef1f310c812 |
C:\Users\Admin\AppData\Local\Temp\nss4160.tmp\InstallOptions.dll
| MD5 | 271b5d1043c4402f08ddeae383f6979c |
| SHA1 | 2b88c58aa27bfb4979239579cd65d4c6c67a5295 |
| SHA256 | 90485cb175686c3e97b32ebf99daa939c1a6f46e7031f71b72b81cd114fd5b51 |
| SHA512 | f8bd4b316726f05647162bb52a2aeb4a6cf5ee976fdb7817a3d25b868b83fb482c38d078f01d3a629afb0d6fa6ce409b2b3404398563137e22010074f529c11b |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | 8ffc3bdf4a1903d9e28b99d1643fc9c7 |
| SHA1 | 919ba8594db0ae245a8abd80f9f3698826fc6fe5 |
| SHA256 | 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6 |
| SHA512 | 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427 |
memory/4556-179-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4556-180-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4556-182-0x0000000000400000-0x000000000041B000-memory.dmp