neshta | 2d3e7800abc7779ace85e819654ad61dbe32763325af822770831e2a7f8b8b7c

General

Target

daddy.exe
Size

1.1MB
MD5

f5bc1381e0570ed56f78970d62c9b05e
SHA1

7f47339c24865ead891a51119f87fac8e9fc68d2
SHA256

2d3e7800abc7779ace85e819654ad61dbe32763325af822770831e2a7f8b8b7c
SHA512

da03ea6c03359907886267225f9cc65fcf32879dbb75cd41e72e5394eb842e0be2d56c603bf8c2c7210240d76aaac3f369f3ef17cfed8b174e2105ddfb135c73
SSDEEP

24576:LTyiWFKPJ+3Ei0wKOm+bJtr+QmO7iOwQwW:LGOB+0i05SJtrBmO7iR2

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 2 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
behavioral1/memory/2024-83-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

daddy.exe

pid process

2552 daddy.exe
Loads dropped DLL 2 IoCs

Processes:

daddy.exe

pid process

2024 daddy.exe
2024 daddy.exe
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

daddy.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" daddy.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2552	daddy.exe

pid	process
2024	daddy.exe
2024	daddy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	daddy.exe

Drops file in Program Files directory 64 IoCs

Processes:

daddy.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	daddy.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	daddy.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	daddy.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	daddy.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	daddy.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	daddy.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	daddy.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	daddy.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	daddy.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	daddy.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	daddy.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	daddy.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	daddy.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	daddy.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	daddy.exe

Drops file in Windows directory 1 IoCs

Processes:

daddy.exe

description ioc process

File opened for modification C:\Windows\svchost.com daddy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

daddy.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" daddy.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	daddy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	daddy.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

daddy.exe

description	pid	process	target process
PID 2024 wrote to memory of 2552	2024	daddy.exe	daddy.exe
PID 2024 wrote to memory of 2552	2024	daddy.exe	daddy.exe
PID 2024 wrote to memory of 2552	2024	daddy.exe	daddy.exe
PID 2024 wrote to memory of 2552	2024	daddy.exe	daddy.exe

C:\Users\Admin\AppData\Local\Temp\daddy.exe
"C:\Users\Admin\AppData\Local\Temp\daddy.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\3582-490\daddy.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\daddy.exe"
2⤵
- Executes dropped EXE
PID:2552

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\daddy.exe
Filesize
1.1MB

MD5
5054746f39d9991665e46711156aee15

SHA1
0c37b95269f296c422e4bfeec7db743c473071d1

SHA256
43d5f1dd70e5f263fc446efd749aac3cb535c75cdfa7346f1832604799178ea7

SHA512
577322d2d04df8eab990592c96e4b50f562794975b3e123514387621ef7945f681c25d397ad539a00095e66cf88d4d7a284fca7f1983b961b4b92fa18a2a7c93

Download Submit
memory/2024-83-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads