neshta | cb8c01dc8976fcc4a3d5fc3ba7049f582257c7a272de19a29f3448d40f42a370

Analysis

max time kernel
112s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

584567077749ecf5e15a16ce814d1160N.exe
Size

230KB
MD5

584567077749ecf5e15a16ce814d1160
SHA1

a3eb035860a15928e92eec90f3adcf9040eb38d4
SHA256

cb8c01dc8976fcc4a3d5fc3ba7049f582257c7a272de19a29f3448d40f42a370
SHA512

013d97af96fe847542454d7708e7c3be444a377d6713eeb1c8afcbf403df7aef6740e116417a087ec6acc2a8e4dc5ab05568805f5c1b63ae42405ad215746529
SSDEEP

6144:jyH7xOc6H5c6HcT66vlmrihyTI2hzQTmjS+B8LkLgUQUeRUq5a:jadN+GkEUve4

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001923a-16.dat	family_neshta
behavioral1/memory/2632-109-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010314-119.dat	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 4 IoCs

pid	Process
1232	svchost.exe
2632	584567077749ecf5e15a16ce814d1160N.exe
2656	svchost.exe
2812	584567077749ecf5e15a16ce814d1160N.exe

Loads dropped DLL 5 IoCs

pid	Process
1232	svchost.exe
1232	svchost.exe
2632	584567077749ecf5e15a16ce814d1160N.exe
2632	584567077749ecf5e15a16ce814d1160N.exe
2632	584567077749ecf5e15a16ce814d1160N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	584567077749ecf5e15a16ce814d1160N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	584567077749ecf5e15a16ce814d1160N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	584567077749ecf5e15a16ce814d1160N.exe
File opened for modification	C:\Windows\svchost.com	584567077749ecf5e15a16ce814d1160N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	584567077749ecf5e15a16ce814d1160N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	584567077749ecf5e15a16ce814d1160N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	584567077749ecf5e15a16ce814d1160N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1232	1816	584567077749ecf5e15a16ce814d1160N.exe	30
PID 1816 wrote to memory of 1232	1816	584567077749ecf5e15a16ce814d1160N.exe	30
PID 1816 wrote to memory of 1232	1816	584567077749ecf5e15a16ce814d1160N.exe	30
PID 1816 wrote to memory of 1232	1816	584567077749ecf5e15a16ce814d1160N.exe	30
PID 1232 wrote to memory of 2632	1232	svchost.exe	31
PID 1232 wrote to memory of 2632	1232	svchost.exe	31
PID 1232 wrote to memory of 2632	1232	svchost.exe	31
PID 1232 wrote to memory of 2632	1232	svchost.exe	31
PID 2632 wrote to memory of 2812	2632	584567077749ecf5e15a16ce814d1160N.exe	33
PID 2632 wrote to memory of 2812	2632	584567077749ecf5e15a16ce814d1160N.exe	33
PID 2632 wrote to memory of 2812	2632	584567077749ecf5e15a16ce814d1160N.exe	33
PID 2632 wrote to memory of 2812	2632	584567077749ecf5e15a16ce814d1160N.exe	33

C:\Users\Admin\AppData\Local\Temp\584567077749ecf5e15a16ce814d1160N.exe
"C:\Users\Admin\AppData\Local\Temp\584567077749ecf5e15a16ce814d1160N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\584567077749ecf5e15a16ce814d1160N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\584567077749ecf5e15a16ce814d1160N.exe
    "C:\Users\Admin\AppData\Local\Temp\584567077749ecf5e15a16ce814d1160N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\584567077749ecf5e15a16ce814d1160N.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\584567077749ecf5e15a16ce814d1160N.exe"
      4⤵
      Executes dropped EXE
      PID:2812

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
181KB

MD5
82544a4c699e2944bab822826ea3c3a9

SHA1
721464d799cd8c0d832111d6d23c7b4475d0aa74

SHA256
03a91e8eec5e51d2100df2de79c930f30ab56a4e7f24df89ac105b07a9aae6d7

SHA512
b49d82a91b7874ffa4b387452aafda536dc5f3765539d2e1e4781c907177ec378b8146b73b1c05bd1efa6fbfd31e98cfce75530b9a6e1bb8e72645785314332e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.1MB

MD5
cddfcfe24cf5669dafd417c8d92bd8af

SHA1
127d8c3f99892d5c88992abdb660523fc714d307

SHA256
132f1c0f33930512089ce3f56fb37d07f3b346cf3d2d603a4ec554c69c9056e5

SHA512
41ba1614197e983bef6d873a781981ff56926d253ebbf0389ed5c8abd5ac4c9c0561169cf7f1ee12718001427fa522796d70963f1fe10eb9a816f648f67cc1df

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
894KB

MD5
2d9147fe9eed5840c9e6127c64c1d1df

SHA1
544b61bc3ebaba3afcb57e876a21c2952d2480b1

SHA256
074b52777d2efcfd2de3ff741691f88b5cbfb82e59c97d27025c7e6c83109b20

SHA512
f766a38855eec94f533d015230ceab8d032c7f9f0baef009514461d3cd1f9a83623e28953934c52dd3c4675d9a79a1caac9bae82912d977813ac7676b31c7979

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
894KB

MD5
8d9db765c37ee6bb780a807feeb73b83

SHA1
83cdd906f8aef155a8e56ce2d3dd9c5a70a8a728

SHA256
fa5ac6a51a5a533cbbb6e32c99b92ef50161663a3eca5fa3e1e5a39e6d387f79

SHA512
d71a73b338ffed2ee73feeb6b720a8a643e994c1f390b35633b8b54de1c1210ab8f0fb24c0f18bbece7ffb13b5b7c5a519a66874c346a3e5dbdc3d7ac866cbc0

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
583KB

MD5
7f2a294e922dea9bd1cc16784f34eaf2

SHA1
d97ad5368eb4df9caf8a5f10cc0c3bd136c98920

SHA256
ea976233655682a9ec8419bb010aa4d279acea3ca8187a3f592349500a150bf9

SHA512
1bcc066cf5b6cc752ef37d52597d969fd9502955ee7e8209dbf447ba2afa61f952b5f3e37b02e4f637b248771c593ce3b7edc8f77abf0da8848e7b2caa321e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\584567077749ecf5e15a16ce814d1160N.exe

Filesize
194KB

MD5
2fafb440422dde7b9983ca69a072cc66

SHA1
473b575c41ff6e8a94386fdca680aa52fa85dc04

SHA256
c17f023ed4b9c4a4f48c2b5dba28990b4d27d808a45ecc5c422a8dc730adff25

SHA512
b56ad8d8f9fe496cf131b25b70f5032222dce4a03fa5651e754e3c2dc530ff1414c21584c76c1e50b5e4ad09a5a61ac75f03ca27a8c9b53b2aab6975d02ac77c

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\584567077749ecf5e15a16ce814d1160N.exe

Filesize
154KB

MD5
6dfa4d69b1d7bbd4c111dc57f400e4b2

SHA1
027b3507b89f4cd2951dea1030abefb362c916aa

SHA256
1b6d92d4e221156d0778696ffe9f37648484b76750b50d96dcaf36fc4fa41570

SHA512
f7386c2de49efdcdff1db008d484ec3010b0aefb83d287db1b68dace68f07dbdbc8bb642c9e3e5d6511ba88c316b409ed17dc21286a3bdd9c6b3b0f001eed04f

Download Submit
memory/1232-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1816-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2632-109-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2656-110-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads