neshta | 93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098

General

Target

93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
Size

86KB
MD5

97ea124edc91be91c5897f8283165b32
SHA1

44cacc9cf07e0722ebb245e10ce785dd0bebc190
SHA256

93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098
SHA512

a890ff9de36fad3c89fb427e733298d82251f1597c8a44126d6ebf90b1a965600c087a01b71c52684371811ca40ce691fc24c609a84911b43937ba528b631286
SSDEEP

1536:JxqjQ+P04wsmJCwKNmK3NAcCyimhLoahzQOCAw:sr85CJmK3NAc5j3hzQOCL

Score

10^/10

neshta persistence spyware stealer upx

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
behavioral2/memory/1672-95-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1672-96-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1672-98-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe	upx

Drops file in Program Files directory 64 IoCs

Processes:

93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

Drops file in Windows directory 1 IoCs

Processes:

93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

description ioc process

File opened for modification C:\Windows\svchost.com 93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

Modifies registry class 1 IoCs

Processes:

93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe

C:\Users\Admin\AppData\Local\Temp\93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
"C:\Users\Admin\AppData\Local\Temp\93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\93f4485b4c17838591c2ba642c9f5cd822e9a6048e1ef788fe576b7f4ba6a098.exe
Filesize
45KB

MD5
25d4a7676be57ff3850d7756e3b39132

SHA1
24a7eb79ebe6a2e1be3bad7b298b27894f3e7a5b

SHA256
3133987571a35174358509781efd24f388028435fdfaa07ff3173c811111bcb3

SHA512
8855e81df65cf3121436cdadcd51145661d50a5277d4e195886958f16ee2429615cdab5bd3c8dd11587dac8b1f54249c58dd6e5550b7f2447f6167c5f641466d

Download Submit
memory/1672-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1672-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1672-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads