neshta | a9971d2f3b8c1611723938a3ea6578c27f31049d3297e607cf0ee6927a4a26c7

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dxwebsetup.exe
Size

328KB
MD5

2cca969570717a0af4f2531eb69cc7c9
SHA1

692243584cca03a41bab00ae6113e6e7a3d14863
SHA256

a9971d2f3b8c1611723938a3ea6578c27f31049d3297e607cf0ee6927a4a26c7
SHA512

3a2257abdadb2ef34a8171a3c3965b8e6bba955dcda0ca837a635736da0f17795e71ff93d8f4421a51ac9778d10dce1f3c28a62149d05ccf07ae75934fff5670
SSDEEP

6144:k9Qc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQxhWK87:BcvgLARDI1KIOzOl

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-28.dat	family_neshta
behavioral1/memory/2336-153-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2336-155-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 2 IoCs

pid	Process
2360	dxwebsetup.exe
3052	dxwsetup.exe

Loads dropped DLL 10 IoCs

pid	Process
2336	dxwebsetup.exe
2360	dxwebsetup.exe
2360	dxwebsetup.exe
2360	dxwebsetup.exe
2360	dxwebsetup.exe
3052	dxwsetup.exe
3052	dxwsetup.exe
3052	dxwsetup.exe
3052	dxwsetup.exe
2336	dxwebsetup.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dxwebsetup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\directx\websetup\SETE513.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETE502.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETE502.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETE513.tmp	dxwsetup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	dxwebsetup.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	dxwebsetup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	dxwebsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxwsetup.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	dxwsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dxwebsetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3052	dxwsetup.exe
Token: SeRestorePrivilege	3052	dxwsetup.exe
Token: SeRestorePrivilege	3052	dxwsetup.exe
Token: SeRestorePrivilege	3052	dxwsetup.exe
Token: SeRestorePrivilege	3052	dxwsetup.exe
Token: SeRestorePrivilege	3052	dxwsetup.exe
Token: SeRestorePrivilege	3052	dxwsetup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2360	2336	dxwebsetup.exe	31
PID 2336 wrote to memory of 2360	2336	dxwebsetup.exe	31
PID 2336 wrote to memory of 2360	2336	dxwebsetup.exe	31
PID 2336 wrote to memory of 2360	2336	dxwebsetup.exe	31
PID 2336 wrote to memory of 2360	2336	dxwebsetup.exe	31
PID 2336 wrote to memory of 2360	2336	dxwebsetup.exe	31
PID 2336 wrote to memory of 2360	2336	dxwebsetup.exe	31
PID 2360 wrote to memory of 3052	2360	dxwebsetup.exe	32
PID 2360 wrote to memory of 3052	2360	dxwebsetup.exe	32
PID 2360 wrote to memory of 3052	2360	dxwebsetup.exe	32
PID 2360 wrote to memory of 3052	2360	dxwebsetup.exe	32
PID 2360 wrote to memory of 3052	2360	dxwebsetup.exe	32
PID 2360 wrote to memory of 3052	2360	dxwebsetup.exe	32
PID 2360 wrote to memory of 3052	2360	dxwebsetup.exe	32

C:\Users\Admin\AppData\Local\Temp\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\dxwebsetup.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\dxwebsetup.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
memory/2336-153-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2336-155-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads