neshta | 69c69877f1db7e532fcadee4c12cbb47943aba7cf67cd0e66c8605d382cbe5bf

General

Target

849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
Size

787KB
MD5

a40f32931f347c2a295c3169a0d90049
SHA1

ff3cd9ab41aefdc39297041ac22a279bcb6421fb
SHA256

849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a
SHA512

f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f
SSDEEP

12288:rVcNBnF9MerEqHIXgR6pMWDZFSKrL38OnabJufBPr7T4n6+p:pcNFjMtXEvKv38moJuZD7T

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2420-28-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2420-29-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2420-30-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2552-47-0x0000000002670000-0x00000000026B0000-memory.dmp	family_neshta
behavioral1/memory/2420-45-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2420-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2420-127-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2704 schtasks.exe

pid	process
2704	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe

description	pid	process	target process
PID 1288 wrote to memory of 2688	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	powershell.exe
PID 1288 wrote to memory of 2688	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	powershell.exe
PID 1288 wrote to memory of 2688	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	powershell.exe
PID 1288 wrote to memory of 2688	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	powershell.exe
PID 1288 wrote to memory of 2552	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	powershell.exe
PID 1288 wrote to memory of 2552	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	powershell.exe
PID 1288 wrote to memory of 2552	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	powershell.exe
PID 1288 wrote to memory of 2552	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	powershell.exe
PID 1288 wrote to memory of 2704	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	schtasks.exe
PID 1288 wrote to memory of 2704	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	schtasks.exe
PID 1288 wrote to memory of 2704	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	schtasks.exe
PID 1288 wrote to memory of 2704	1288	849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"
2⤵
PID:2688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JbEQlGryO.exe"
2⤵
PID:2552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JbEQlGryO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA2B.tmp"
2⤵
- Creates scheduled task(s)
PID:2704

C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe
"C:\Users\Admin\AppData\Local\Temp\849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a.exe"
2⤵
PID:2420

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
a0c0e84db827383b99061a9c63cdca37

SHA1
09a1f270ddf56adb327587937234b748852fc550

SHA256
3f80ba175c872e265297b2b8e42fe6dd820d94f9015205805e57772f5d2df6ed

SHA512
939904f543915435cda9948f3d00ccb61d4bae9994c5f7cab04c13d35203409fbf26ca4edb92c99ecc8bb5d3e056d72e131733a0459ef7e88b6c186ef3daf7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA2B.tmp
Filesize
1KB

MD5
44544ea903fa0c0bc5c2f5833791f7d2

SHA1
c0dc9a5b275a109f15b971cc1aa09ad7484a0122

SHA256
a295f868fe444e19baacf949b792d142d19214c5c1df5aa17390ee379aa3ae78

SHA512
39667d90ecab1627d8b6f3f2d874a3188a704203f1f12ce45f0281ae691bccfa9d51c27c8108435b109739b87f2db711f004e2564391ede1c52d8382d804a5cf

Download Submit
C:\Users\Admin\AppData\Roaming\JBEQLG~1.EXE
Filesize
787KB

MD5
a40f32931f347c2a295c3169a0d90049

SHA1
ff3cd9ab41aefdc39297041ac22a279bcb6421fb

SHA256
849f8e0fe82c9e9606234c3c6018ca5f94f063d90bf00e9d551002276485892a

SHA512
f666a0be054eb649882a5ad86d3fac609df33f96ded2b7fe76975bba44b477ce2c9eed081939dc20bd6bb8d25dccbc375de8afd57a6139eefb1e2213c144181f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
606184b6388c7bb6bbe661b072323149

SHA1
1fc0d43f621bf8a02c4e03d2af6246a722706939

SHA256
e2fea35c83173b78dcf89eb602473fcb399a6b31d17336ad6018cc271324a290

SHA512
29ad0ac85d2c5f4aa0d62b2a8cb6f47521b7a3eb2690886fc3cc7d81fb44e5015c6617df522d7de730e8568f94aeaa3a61ea03212056b0dbc49fadae91c74bab

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
memory/1288-3-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1288-6-0x0000000004C00000-0x0000000004C8C000-memory.dmp

Filesize
560KB

Download
memory/1288-5-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1288-4-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1288-0-0x0000000000020000-0x00000000000EC000-memory.dmp

Filesize
816KB

Download
memory/1288-2-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/1288-1-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/1288-32-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2420-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2552-51-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-49-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2552-46-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2552-47-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2552-43-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-41-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-48-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2688-44-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-50-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-42-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2688-40-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads