neshta | 45962d0cd966db377597088be22d1c9824ca603993969ff08c8405f362e9869d

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11/11/2024, 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ödeme Bildirimi.exe
Size

810.6MB
MD5

a50c233309fce547730f8c7f2277e84a
SHA1

66e083c2d7e3bc02b509f3574ead4f70917f8cf4
SHA256

cdc7a8459646b81c8922b54e0b555a8f3bf336064a752822e053d278746d01d5
SHA512

eac158fe946814ccf28e45af0784fd31090e68f3de5544a6b43cf5b8faa526df9b5830c3f09d64ccc3bbc98d4779c18f87b958027dddcab76ee6da1176ece476
SSDEEP

24576:4MvDamiIIpODOJ/j0VfNAMa+cJBaVksf4/1EV8VgRl:HeDHOD6/jI+Z+SB5FVV

Score

10^/10

neshta discovery execution persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 2 IoCs

resource	yara_rule
behavioral1/memory/2124-35-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2124-34-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3012	powershell.exe
2532	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
2124	Ödeme Bildirimi.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Ödeme Bildirimi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2124	2768	Ödeme Bildirimi.exe	36

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	Ödeme Bildirimi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	Ödeme Bildirimi.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	Ödeme Bildirimi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ödeme Bildirimi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ödeme Bildirimi.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Ödeme Bildirimi.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3012	powershell.exe
2532	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 3012	2768	Ödeme Bildirimi.exe	30
PID 2768 wrote to memory of 3012	2768	Ödeme Bildirimi.exe	30
PID 2768 wrote to memory of 3012	2768	Ödeme Bildirimi.exe	30
PID 2768 wrote to memory of 3012	2768	Ödeme Bildirimi.exe	30
PID 2768 wrote to memory of 2532	2768	Ödeme Bildirimi.exe	32
PID 2768 wrote to memory of 2532	2768	Ödeme Bildirimi.exe	32
PID 2768 wrote to memory of 2532	2768	Ödeme Bildirimi.exe	32
PID 2768 wrote to memory of 2532	2768	Ödeme Bildirimi.exe	32
PID 2768 wrote to memory of 2708	2768	Ödeme Bildirimi.exe	34
PID 2768 wrote to memory of 2708	2768	Ödeme Bildirimi.exe	34
PID 2768 wrote to memory of 2708	2768	Ödeme Bildirimi.exe	34
PID 2768 wrote to memory of 2708	2768	Ödeme Bildirimi.exe	34
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36
PID 2768 wrote to memory of 2124	2768	Ödeme Bildirimi.exe	36

C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe
"C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PuSZrbOiAUSt.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PuSZrbOiAUSt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe
  "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
1f19f7d7607ffa6f1f8d2422bb99a252

SHA1
89a54eea05bc2c5cb5dae74768ae948d8c55baf8

SHA256
e86f690922bbb156c3d28cc65dec00b1819e04e5cba2e9f76bfc562fab040913

SHA512
1189f6816bb4caa471f93e8d9ba4a79e6936e9394ff5326b7a50e8f9ee497f2cd8ec0cbbb557670d74b542d7a0b47794c3169b39a00c9612bdf473eb451a120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD11.tmp

Filesize
1KB

MD5
7dd281780efc2c3126d8df8c0e7fed76

SHA1
721909c66f5a4f48a06c6a7b5822a018b7e489f0

SHA256
d4611c57fdcf11517be00886966715d443f6cf432b88becb464e106d3611ced5

SHA512
8dfa2a2db1ada317212c2442947705d74118b8eb28482c8e53ff0287b938b11fab4b6381484a0684440ca316bcdf0fea886083813d9108992e6d1bd19c1b6bca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32b12db819ac507f8ee933fb074b322b

SHA1
bb716328b11158738ca340563d91d3a9165b095e

SHA256
152ff01d0b331b343eb47e9b93b4b6fbe59adfee411dfa07fe6120ddbaaf5a88

SHA512
ac594dd966bccd38763bd3e2d07ac2423212ec33a634e344e461f8cbfe2e9f47e214ef04206fa6e68534741abc3dd921af352519d613e93152604c260353696a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
memory/2124-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2124-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2768-5-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/2768-3-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2768-4-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/2768-6-0x0000000005300000-0x00000000053A4000-memory.dmp

Filesize
656KB

Download
memory/2768-36-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-2-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-1-0x00000000010C0000-0x0000000001186000-memory.dmp

Filesize
792KB

Download