Analysis Overview
SHA256
5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b
Threat Level: Known bad
The file 5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe was found to be: Known bad.
Malicious Activity Summary
Neshta family
Detect Neshta payload
Neshta
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Executes dropped EXE
Checks computer location settings
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-14 10:25
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-14 10:25
Reported
2024-04-14 10:56
Platform
win7-20240221-en
Max time kernel
1182s
Max time network
1203s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
"C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49202 | tcp | |
| N/A | 127.0.0.1:49204 | tcp | |
| CA | 54.39.68.9:444 | tcp | |
| NL | 192.42.113.101:9002 | tcp | |
| NL | 85.145.145.201:4433 | tcp | |
| US | 198.24.164.98:443 | tcp |
Files
\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
| MD5 | dcb04bad2eb62d8e258a8038e741c554 |
| SHA1 | ba64b4b7134d9ccda5cdd3624cdc898e3778fb7f |
| SHA256 | 33049016dd8985e97e69d89cad74b59b06488310c0be86d0f83b10ee096b7875 |
| SHA512 | 8f0fb5a453030850c37e6f3b8f94bc0eb04512c4810dfc5499289dc74b1d02c38e639947245e996cfb3398449395d3ba59f1513f5a9c3283dc4d268f0d7265c5 |
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | cf6c595d3e5e9667667af096762fd9c4 |
| SHA1 | 9bb44da8d7f6457099cb56e4f7d1026963dce7ce |
| SHA256 | 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d |
| SHA512 | ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80 |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | ffcd5cbca9867eee8d74446c60ea6736 |
| SHA1 | 1a14d9829b9ec3b18adbdca0f87df2fd34938992 |
| SHA256 | 2089eed082364ed1e52980737b55c54c434f42fdf5048077b63e0dc5ee8e69c3 |
| SHA512 | e11ed7aab2389008bb02ed33cffaeeab18799acc1ebdecc9a84edc190a55dda41aa5543cc5d7a784e966cb3ab93973fe81a1b94db89e3600fff9017db083b6fb |
C:\Users\Admin\AppData\Roaming\tor\cached-certs.tmp
| MD5 | 2ebded1bd18be09f175ae3b6d13ffb9c |
| SHA1 | 92211419a43b8c9c1c6d794f2e0aa14afe06dea8 |
| SHA256 | 02ed88d8205a9b3c9661b8db2b9d75eaba21d48c995918a21ca2ad0d330aa526 |
| SHA512 | dab4fc59c6c44428f95896213d1c391b8373f9b7c1cda9403e633d765c6965ca8727d58dc23ffb09e7d45a5ff3735a81a94927fc476fd44e69d5b1cbaf998cbc |
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
| MD5 | f4c84c84ff00c72f79efdf9a26256d12 |
| SHA1 | 73efea704b6b7d9538fb1b21b84d419f0340ec49 |
| SHA256 | 424a66dbc29c0983eccdba30f2a50b6d759dc9207449a8920f8761f87992b939 |
| SHA512 | 7cfd68f3610c3b049a7dcb2c0a832c872b4f5774d9feeb644806fc588c917942e48665d9500315154260a381744b4cb5eb6b87a278f69654ccce43761effbf2f |
memory/332-110-0x0000000000400000-0x000000000041B000-memory.dmp
memory/332-122-0x0000000000400000-0x000000000041B000-memory.dmp
memory/332-123-0x0000000000400000-0x000000000041B000-memory.dmp
memory/332-125-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-14 10:25
Reported
2024-04-14 10:56
Platform
win10-20240404-en
Max time kernel
1178s
Max time network
1200s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe |
| PID 2544 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
"C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe"
Network
| Country | Destination | Domain | Proto |
| CZ | 185.32.183.18:9001 | tcp | |
| US | 8.8.8.8:53 | 18.183.32.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:49783 | tcp | |
| N/A | 127.0.0.1:49787 | tcp | |
| DE | 185.220.102.243:443 | tcp | |
| DE | 94.130.132.10:9001 | tcp | |
| DE | 193.26.158.214:9001 | tcp | |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.6.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.132.130.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.158.26.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
| MD5 | dcb04bad2eb62d8e258a8038e741c554 |
| SHA1 | ba64b4b7134d9ccda5cdd3624cdc898e3778fb7f |
| SHA256 | 33049016dd8985e97e69d89cad74b59b06488310c0be86d0f83b10ee096b7875 |
| SHA512 | 8f0fb5a453030850c37e6f3b8f94bc0eb04512c4810dfc5499289dc74b1d02c38e639947245e996cfb3398449395d3ba59f1513f5a9c3283dc4d268f0d7265c5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | ffcd5cbca9867eee8d74446c60ea6736 |
| SHA1 | 1a14d9829b9ec3b18adbdca0f87df2fd34938992 |
| SHA256 | 2089eed082364ed1e52980737b55c54c434f42fdf5048077b63e0dc5ee8e69c3 |
| SHA512 | e11ed7aab2389008bb02ed33cffaeeab18799acc1ebdecc9a84edc190a55dda41aa5543cc5d7a784e966cb3ab93973fe81a1b94db89e3600fff9017db083b6fb |
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
| MD5 | ac54ba68e45abddaa658e1b5a80b7b28 |
| SHA1 | 67b66c1fa7b58515dae0bf141d5164b47b0c2059 |
| SHA256 | 37ecf53420b3b1d559c1c9cd1d80dbecd6c3a802173f0f04a929796bc861cf11 |
| SHA512 | 18e41a90efe26c4b609984941dcd08cb13e9f499a4fee9872cc8e4220fdcf14f8187d9c4d09ccd5df90b4b0614b6556817315bdb08e356d5fc105e3fdcf827f5 |
memory/2544-79-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2544-85-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-14 10:25
Reported
2024-04-14 10:56
Platform
win10v2004-20240412-en
Max time kernel
1175s
Max time network
1199s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4656 wrote to memory of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe |
| PID 4656 wrote to memory of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
"C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| N/A | 127.0.0.1:49769 | tcp | |
| N/A | 127.0.0.1:49773 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 65.108.136.190:80 | tcp | |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.136.108.65.in-addr.arpa | udp |
| CA | 148.113.162.135:9001 | tcp | |
| US | 74.215.154.5:8675 | tcp | |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.162.113.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.154.215.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
| MD5 | dcb04bad2eb62d8e258a8038e741c554 |
| SHA1 | ba64b4b7134d9ccda5cdd3624cdc898e3778fb7f |
| SHA256 | 33049016dd8985e97e69d89cad74b59b06488310c0be86d0f83b10ee096b7875 |
| SHA512 | 8f0fb5a453030850c37e6f3b8f94bc0eb04512c4810dfc5499289dc74b1d02c38e639947245e996cfb3398449395d3ba59f1513f5a9c3283dc4d268f0d7265c5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
| MD5 | ffcd5cbca9867eee8d74446c60ea6736 |
| SHA1 | 1a14d9829b9ec3b18adbdca0f87df2fd34938992 |
| SHA256 | 2089eed082364ed1e52980737b55c54c434f42fdf5048077b63e0dc5ee8e69c3 |
| SHA512 | e11ed7aab2389008bb02ed33cffaeeab18799acc1ebdecc9a84edc190a55dda41aa5543cc5d7a784e966cb3ab93973fe81a1b94db89e3600fff9017db083b6fb |
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
| MD5 | d15ce323fc0b6824ed8d1433f5c2a8f9 |
| SHA1 | b186754863ae3b89f64ef46eab2a439c0bfa7593 |
| SHA256 | 6719459d74ef60e76e1d197dcc81154fc859f3df6b7897e1dbc6385f4a492b04 |
| SHA512 | e215886f2a42e2f25c45b78b2f37091f3d52cc2af6b7bc5d21273d1b864c5184f8d26463cb020461c7ed9fd27edee7a17a59977ed856fc93db7766266cc1391d |
memory/4656-111-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4656-118-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4656-125-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-14 10:25
Reported
2024-04-14 10:56
Platform
win11-20240412-en
Max time kernel
1185s
Max time network
1200s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe |
| PID 2244 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe | C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
"C:\Users\Admin\AppData\Local\Temp\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 130.61.178.131:9100 | tcp | |
| NL | 108.61.189.136:443 | tcp | |
| N/A | 127.0.0.1:49733 | tcp | |
| N/A | 127.0.0.1:49737 | tcp | |
| US | 8.8.8.8:53 | 136.189.61.108.in-addr.arpa | udp |
| DE | 45.136.31.222:9001 | tcp | |
| FR | 163.5.159.230:9100 | tcp | |
| RU | 185.87.50.180:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\5a3bf0b8d1a106547a414123b92c2bbf0560d1f38599956335c2bc8c2c9f4e0b.exe
| MD5 | dcb04bad2eb62d8e258a8038e741c554 |
| SHA1 | ba64b4b7134d9ccda5cdd3624cdc898e3778fb7f |
| SHA256 | 33049016dd8985e97e69d89cad74b59b06488310c0be86d0f83b10ee096b7875 |
| SHA512 | 8f0fb5a453030850c37e6f3b8f94bc0eb04512c4810dfc5499289dc74b1d02c38e639947245e996cfb3398449395d3ba59f1513f5a9c3283dc4d268f0d7265c5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | 3b73078a714bf61d1c19ebc3afc0e454 |
| SHA1 | 9abeabd74613a2f533e2244c9ee6f967188e4e7e |
| SHA256 | ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29 |
| SHA512 | 75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4 |
C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus
| MD5 | ffcd5cbca9867eee8d74446c60ea6736 |
| SHA1 | 1a14d9829b9ec3b18adbdca0f87df2fd34938992 |
| SHA256 | 2089eed082364ed1e52980737b55c54c434f42fdf5048077b63e0dc5ee8e69c3 |
| SHA512 | e11ed7aab2389008bb02ed33cffaeeab18799acc1ebdecc9a84edc190a55dda41aa5543cc5d7a784e966cb3ab93973fe81a1b94db89e3600fff9017db083b6fb |
C:\Users\Admin\AppData\Roaming\tor\cached-certs
| MD5 | 4542086af7ba929cb12c7e8c1ad16800 |
| SHA1 | 685b421e18416c7a39bf03839ab4712841b8f64b |
| SHA256 | 575498232cd72638101a72151dc241dc0e23b503bd034e085c141780fba0e2a7 |
| SHA512 | 36bfd8faf5d33ea0493802b635074852519498b85ed0e89e059871d3d3211c2185fa441b31cb099f4c7c7673b242a2ccb0718be9a4edeab9527587b13a635f36 |
memory/2244-130-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 9cff0adb45a086403bd2f27501ad77eb |
| SHA1 | 9d5fc1fee65696b2f171eeecaa8e6d87c00661cb |
| SHA256 | f4ae52174cded66b999061644193fd74fc22830fe4f49f6a5b97bb75f921cfa3 |
| SHA512 | 7e3aad66f04a5a8a3c40c25b72fb36009ba5b6d10ada342b1b52d2f35c16d31ada995bdd9808cb1e36eda38f204591153e45affb59a9f1039cb9adbe5721eb35 |
memory/2244-147-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2244-152-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2244-154-0x0000000000400000-0x000000000041B000-memory.dmp