neshta | 9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38

General

Target

9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe
Size

2.5MB
MD5

ded03d57644f017ff167459d8a87f0a1
SHA1

0ee7a5dd4fa01acd351cbdbbfbab109715e46366
SHA256

9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38
SHA512

99c67bce573fad9705a8a407049e855adf34ffa7e5caa5caa6b91a1445cf1b928016ba4d3662e4a2ebedbfcaef51b2770cb545f45e0f70f4d0a3e47d0f437173
SSDEEP

49152:Nbbh9gRrdo042w4BMwRP9TA+OG/Xo/X2dQXLs58gt7CePlwlj:Blso2wKMw70+Jo/X883CPlwlj

Score

10^/10

Malware Config

Signatures

Detect Neshta payload 8 IoCs

resource	yara_rule
behavioral2/files/0x000600000002024e-17.dat	family_neshta
behavioral2/memory/1180-101-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1180-102-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1180-103-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1180-104-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1180-105-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1180-106-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1180-108-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe

Executes dropped EXE 1 IoCs

pid	Process
3128	9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3128	1180	9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe	80
PID 1180 wrote to memory of 3128	1180	9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe	80
PID 1180 wrote to memory of 3128	1180	9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe	80

C:\Users\Admin\AppData\Local\Temp\9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe
"C:\Users\Admin\AppData\Local\Temp\9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\3582-490\9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe"
  2⤵
  - Executes dropped EXE
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9f6f0bfabcf0ff3b9e46e7cc7f584d5b2f79a9357afe7e7a3dbe89ccb588db38.exe

Filesize
2.5MB

MD5
39b4fc52afc3a1f71db0e63751c7d2a2

SHA1
b19069161e70a09ee98fc30080d5d6b17dc0abad

SHA256
55a89342d18c6e3c2e78f7c21bc11aef2be31432156d96adaf55c776ddc75517

SHA512
0f5d694ee6be003fe5843b1e5c625d281374a9cc87b6e04b01ff8ddbc85c3f2f937f1303fb3549e2e382d816575c708c215a62f19a792ff590c1e7213ab11f3b

Download Submit
memory/1180-101-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1180-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1180-103-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1180-104-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1180-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1180-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1180-108-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3128-12-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/3128-13-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads