neshta | ae2b2f32e9fb4c7db4b8d01fc32a8044ea56029af1d687f061d68472ca84673e

General

Target

cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
Size

335KB
MD5

cfaa353b68fb079550cb6c7c46b19f10
SHA1

4827ce7597f762a7fe350e8ea6650c40c005b542
SHA256

ae2b2f32e9fb4c7db4b8d01fc32a8044ea56029af1d687f061d68472ca84673e
SHA512

12fe8e8ddc50fbdd219e004ad93377767c016364ef8ea0546dc6a786fa96dc5e557734d0edb1d376148fe31a1f2f0ebade9f42b0d9cbc23838ee34ddfb9081ee
SSDEEP

6144:z9WimZI46P5Bzb854fgJs3uVAOs5qiwckGIk0ggwJhi/rQx+D8yhabloKp:giU50jb854fgfK5qiw8Ik0ggwJhi/Uxx

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

pid process

4760 cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

pid	process
4760	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

Processes:

cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

description ioc process

File opened for modification C:\Windows\svchost.com cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

Modifies registry class 1 IoCs

Processes:

cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

description	pid	process	target process
PID 3136 wrote to memory of 4760	3136	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
PID 3136 wrote to memory of 4760	3136	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
PID 3136 wrote to memory of 4760	3136	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe	cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\3582-490\cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe"
2⤵
- Executes dropped EXE
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
b995ca92f5950d33f82765eb6dc2b183

SHA1
ee6af4e058f851816976d64a15500a1166148a0b

SHA256
fbaaaef054ec8d4714fe513a605037124e6251175b2d3d4d3390931e0e8bcc3b

SHA512
cfc22e038b5f95a0a2716a9d59b0f077f090a3a58bf70d0ccb7b20a3cba6fcf9ed0a0a33349232a21a7244c106d52eee0ef00565f3de40d1f6048aa2222d9f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cfaa353b68fb079550cb6c7c46b19f10_NeikiAnalytics.exe
Filesize
294KB

MD5
4c3832fbe84b8ce63d8e3ab7d76f9983

SHA1
eea2d91b7d7d2cdf79bb9f354af7a33d6014f544

SHA256
8fe2226e8bec5a45d4b819359192ab92446b54859bf8877573ab7a3c8b4ada76

SHA512
e6e316bf3414ffb2674bf240760b2617ced755b8a34ad4b3213bcca6ea9a0aa3c2e094319d709a958f603b72197bfa34b100dbe87b618e17601b2e0dac749f84

Download Submit
memory/3136-98-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3136-99-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3136-101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads