medusalocker | b2493a580153291b69ca23190d00a00b1220cd0aadf469b3974fdaa726516649

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neshta.exe
Size

719KB
MD5

8474039d83805eb7b447325c3a8d1ebb
SHA1

a07d537f4253745a087709a9a07c449f84deed8d
SHA256

b2493a580153291b69ca23190d00a00b1220cd0aadf469b3974fdaa726516649
SHA512

3272091bbf123ba5e1592e8b2bd7740cddcb174fa158bc6980b25ee61d92387e94a25284736253f83a6eea78b427f6717e888e843db9d7759cfe9a7676576438
SSDEEP

12288:q4UOTYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuhJVoM7SPd:bRTYVQ2qZ7aSgLwuVfstRJL6YM6

Score

10^/10

medusalocker neshta evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Recovery\WindowsRE\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">558B98ECE77CE1AE889BD3A55E1F7122E7E90C42157F094AC86775B868A33661B4A9FD2A07933377E988B8EDFBE836374FFEADA00E95E345FD64BBAADC6C949A<br>D2971D919B2AE224BF267F6CFE3C2109A7B5DDF5DEC91D7BF6F37D665516E52D306A751FB59D162E0958202231EFEBF522F7151B21310D9E2271DC781CEF<br>BCE1F169FA7F10F6B8B054EA566EF4755C68EE0AAD8DE5D1FC99B2FCCD163B5A4F1E7E7DED94FCBBD723969F2066B36C63A4F8FEEF7A74EE3A9A7004C314<br>8456F907B18285DCCA77D5F9E43B1F57FB14688F9425C8FF267B2101F557DA77B15C581359AE842F8F639930028DDA5E9DEA9FA95A1EFF140DB92A929C93<br>70A24908CAB739FEFE47D8B079EA2CE6BD05180A7F7FA3C182C759ED033E98D86E842B29359A9504EA63005B8C99093975C670F5CA4968FBC7F5D10046C1<br>81B1E78D9ACD8BB316B19F1F3EB0555ED029570B0880FE136B52B9CAA5E8321E1A4579E22A2ACEE1976457EAD854D7E6873C91D0215ABF526FCB16A75EE6<br>C622FEC940D2B9A480EF40048C5448ADCB566BD6F66DDD48865E1FA9BCAB57D051F5138744A7222A69D982538645572E5D89A90E81DABD51461C91A80029<br>7FD47FA1B826E715D343402DD266B77EE15215DAF4228C7DF19500F5C992B93C1EEE3828554E48BFBC4CE687A9685694BC3A503D1B4CBF0ECF191D679471<br>B8819475856990BCBC89E953E3A8</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>http://gvlay6u4g53rxdi5.onion/31-LPy3hdSfGLBgLSfGcKN9rubDKoa1VMK4-oM9QK65CK2M94PndohhiwOPR8pWZsVGb</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected]">[email protected]</a> <br><a href="[email protected]">[email protected]</a> <br> <b>* To contact us, create a new mail on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b>Make contact as soon as possible. Your private key (decryption key) <br> is only stored temporarily.<br><br> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]">[email protected]</a>

Signatures

Detect Neshta payload 9 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020268-26.dat	family_neshta
behavioral2/files/0x000700000002344a-102.dat	family_neshta
behavioral2/memory/2256-607-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2256-608-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2256-609-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2256-611-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0007000000023449-620.dat	family_neshta
behavioral2/memory/1376-631-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4620-629-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023444-4.dat	family_medusalocker
behavioral2/files/0x000700000002344a-102.dat	family_medusalocker

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Neshta.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Neshta.exe

Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Neshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	svhost.exe

Executes dropped EXE 4 IoCs

pid	Process
1592	Neshta.exe
4620	svhost.exe
1376	svchost.com
4656	svhost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Neshta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Neshta.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini	Neshta.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Neshta.exe
File opened (read-only)	\??\N:	Neshta.exe
File opened (read-only)	\??\O:	Neshta.exe
File opened (read-only)	\??\R:	Neshta.exe
File opened (read-only)	\??\T:	Neshta.exe
File opened (read-only)	\??\E:	Neshta.exe
File opened (read-only)	\??\V:	Neshta.exe
File opened (read-only)	\??\S:	Neshta.exe
File opened (read-only)	\??\Z:	Neshta.exe
File opened (read-only)	\??\B:	Neshta.exe
File opened (read-only)	\??\G:	Neshta.exe
File opened (read-only)	\??\H:	Neshta.exe
File opened (read-only)	\??\L:	Neshta.exe
File opened (read-only)	\??\P:	Neshta.exe
File opened (read-only)	\??\Q:	Neshta.exe
File opened (read-only)	\??\X:	Neshta.exe
File opened (read-only)	\??\Y:	Neshta.exe
File opened (read-only)	\??\A:	Neshta.exe
File opened (read-only)	\??\J:	Neshta.exe
File opened (read-only)	\??\K:	Neshta.exe
File opened (read-only)	\??\M:	Neshta.exe
File opened (read-only)	\??\U:	Neshta.exe
File opened (read-only)	\??\W:	Neshta.exe
File opened (read-only)	\??\F:	Neshta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	Neshta.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	Neshta.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	Neshta.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svhost.exe
File opened for modification	C:\Windows\svchost.com	svhost.exe
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Neshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	svhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe
1592	Neshta.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2196	wmic.exe
Token: SeSecurityPrivilege	2196	wmic.exe
Token: SeTakeOwnershipPrivilege	2196	wmic.exe
Token: SeLoadDriverPrivilege	2196	wmic.exe
Token: SeSystemProfilePrivilege	2196	wmic.exe
Token: SeSystemtimePrivilege	2196	wmic.exe
Token: SeProfSingleProcessPrivilege	2196	wmic.exe
Token: SeIncBasePriorityPrivilege	2196	wmic.exe
Token: SeCreatePagefilePrivilege	2196	wmic.exe
Token: SeBackupPrivilege	2196	wmic.exe
Token: SeRestorePrivilege	2196	wmic.exe
Token: SeShutdownPrivilege	2196	wmic.exe
Token: SeDebugPrivilege	2196	wmic.exe
Token: SeSystemEnvironmentPrivilege	2196	wmic.exe
Token: SeRemoteShutdownPrivilege	2196	wmic.exe
Token: SeUndockPrivilege	2196	wmic.exe
Token: SeManageVolumePrivilege	2196	wmic.exe
Token: 33	2196	wmic.exe
Token: 34	2196	wmic.exe
Token: 35	2196	wmic.exe
Token: 36	2196	wmic.exe
Token: SeIncreaseQuotaPrivilege	4884	wmic.exe
Token: SeSecurityPrivilege	4884	wmic.exe
Token: SeTakeOwnershipPrivilege	4884	wmic.exe
Token: SeLoadDriverPrivilege	4884	wmic.exe
Token: SeSystemProfilePrivilege	4884	wmic.exe
Token: SeSystemtimePrivilege	4884	wmic.exe
Token: SeProfSingleProcessPrivilege	4884	wmic.exe
Token: SeIncBasePriorityPrivilege	4884	wmic.exe
Token: SeCreatePagefilePrivilege	4884	wmic.exe
Token: SeBackupPrivilege	4884	wmic.exe
Token: SeRestorePrivilege	4884	wmic.exe
Token: SeShutdownPrivilege	4884	wmic.exe
Token: SeDebugPrivilege	4884	wmic.exe
Token: SeSystemEnvironmentPrivilege	4884	wmic.exe
Token: SeRemoteShutdownPrivilege	4884	wmic.exe
Token: SeUndockPrivilege	4884	wmic.exe
Token: SeManageVolumePrivilege	4884	wmic.exe
Token: 33	4884	wmic.exe
Token: 34	4884	wmic.exe
Token: 35	4884	wmic.exe
Token: 36	4884	wmic.exe
Token: SeIncreaseQuotaPrivilege	3888	wmic.exe
Token: SeSecurityPrivilege	3888	wmic.exe
Token: SeTakeOwnershipPrivilege	3888	wmic.exe
Token: SeLoadDriverPrivilege	3888	wmic.exe
Token: SeSystemProfilePrivilege	3888	wmic.exe
Token: SeSystemtimePrivilege	3888	wmic.exe
Token: SeProfSingleProcessPrivilege	3888	wmic.exe
Token: SeIncBasePriorityPrivilege	3888	wmic.exe
Token: SeCreatePagefilePrivilege	3888	wmic.exe
Token: SeBackupPrivilege	3888	wmic.exe
Token: SeRestorePrivilege	3888	wmic.exe
Token: SeShutdownPrivilege	3888	wmic.exe
Token: SeDebugPrivilege	3888	wmic.exe
Token: SeSystemEnvironmentPrivilege	3888	wmic.exe
Token: SeRemoteShutdownPrivilege	3888	wmic.exe
Token: SeUndockPrivilege	3888	wmic.exe
Token: SeManageVolumePrivilege	3888	wmic.exe
Token: 33	3888	wmic.exe
Token: 34	3888	wmic.exe
Token: 35	3888	wmic.exe
Token: 36	3888	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1592	2256	Neshta.exe	83
PID 2256 wrote to memory of 1592	2256	Neshta.exe	83
PID 2256 wrote to memory of 1592	2256	Neshta.exe	83
PID 1592 wrote to memory of 2196	1592	Neshta.exe	85
PID 1592 wrote to memory of 2196	1592	Neshta.exe	85
PID 1592 wrote to memory of 2196	1592	Neshta.exe	85
PID 1592 wrote to memory of 4884	1592	Neshta.exe	88
PID 1592 wrote to memory of 4884	1592	Neshta.exe	88
PID 1592 wrote to memory of 4884	1592	Neshta.exe	88
PID 1592 wrote to memory of 3888	1592	Neshta.exe	90
PID 1592 wrote to memory of 3888	1592	Neshta.exe	90
PID 1592 wrote to memory of 3888	1592	Neshta.exe	90
PID 4620 wrote to memory of 1376	4620	svhost.exe	105
PID 4620 wrote to memory of 1376	4620	svhost.exe	105
PID 4620 wrote to memory of 1376	4620	svhost.exe	105
PID 1376 wrote to memory of 4656	1376	svchost.com	106
PID 1376 wrote to memory of 4656	1376	svchost.com	106
PID 1376 wrote to memory of 4656	1376	svchost.com	106

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Neshta.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Neshta.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Neshta.exe

C:\Users\Admin\AppData\Local\Temp\Neshta.exe
"C:\Users\Admin\AppData\Local\Temp\Neshta.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\3582-490\Neshta.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\Neshta.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1592
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3888

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe
    3⤵
    - Executes dropped EXE
    PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Recovery\WindowsRE\Recovery_Instructions.html

Filesize
4KB

MD5
733703a77a529c7153209c21ea4d49ba

SHA1
b7a24ce9a5de9def585f3bbc8ac35d885c59113f

SHA256
1051de5a04672457a97354ae52ec2e6d16843727be5a105dc5d40e895f54007e

SHA512
4df546e995d64d69942d55a8ba7de29eed7f5903dbde51e1aaaa156caec06148d78f55eeb5a7c5056ae6e0c12c5cdb141fb94a8c1d0df446e9469407c5dea30b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Neshta.exe

Filesize
678KB

MD5
5aa0a571567f8437556e9b00ae5a3532

SHA1
45377cb152832c9112db7909219fa87a6e760aae

SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432

SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
8f9fb9913dbca609c845b951befe90ae

SHA1
116e112a229af56473ffa87ade33bcc800bfd88d

SHA256
c3cb2743a19ea0263efb4fe56bbc64fdbd45f6bc435c9818d0b0d6f5d1275bcf

SHA512
e88958f801ed9b3a75630b3907caa944f4dc8d43777079f31218ebd626be359f215c6eaefbba23667358b730578718f87a540acec7c04af5c256e7a8b0543b51

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
719KB

MD5
8474039d83805eb7b447325c3a8d1ebb

SHA1
a07d537f4253745a087709a9a07c449f84deed8d

SHA256
b2493a580153291b69ca23190d00a00b1220cd0aadf469b3974fdaa726516649

SHA512
3272091bbf123ba5e1592e8b2bd7740cddcb174fa158bc6980b25ee61d92387e94a25284736253f83a6eea78b427f6717e888e843db9d7759cfe9a7676576438

Download Submit
C:\Users\Default\ntuser.dat.LOG2

Filesize
536B

MD5
61d1566068cc1bab8073ab1f49d86e15

SHA1
38f308ab524dbf5dc18108ab3ae64c80bb4a246f

SHA256
3fb3b95947369ab6c57ee10c0fdc6383cba1f1576834ab69f40d455aea408d82

SHA512
329ef0faec52aab7475de40ed00975fcc9d82636fe8e7c3360b52f71a33921b2356189cd8f15c62f301e254c0620d427bbc1ac4c25765666489909c97aa56140

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/1376-631-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-607-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-611-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-609-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-608-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4620-629-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download