neshta | 010b4b3613d8e0feb0cb98ee08969c6ec75ec5a399090a3877b8bad94b3455c0

General

Target

APK-Injector Builder.sfx.exe
Size

93.3MB
MD5

9108827f5efd8fb757d47cdd3f112b72
SHA1

788ace960c6b5f7af35c9cd8cc1b36e46c35b347
SHA256

010b4b3613d8e0feb0cb98ee08969c6ec75ec5a399090a3877b8bad94b3455c0
SHA512

ebfb9676c68e82530a95f9073e7d8de4ae54b697ebaccfcb9ec3850b06b093b8d88d2bc3fcc1bb5463340ee7cb0853a13a03d167c95cd48a4bce22e653bb08dc
SSDEEP

1572864:uRe+PTxYgrB+gg6M97RDro1c+crtzL05092AEK+pwUJomE/xitxOMRyFwLmzhLDx:u0ExYkXE975drw0BEK+uCPE/xOxOMR4T

Score

10^/10

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a359-38.dat	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 2 IoCs

pid	Process
2840	Launcher.exe
264	Spymaxv2.exe

Loads dropped DLL 7 IoCs

pid	Process
2680	APK-Injector Builder.sfx.exe
2680	APK-Injector Builder.sfx.exe
1260	Process not Found
264	Spymaxv2.exe
264	Spymaxv2.exe
264	Spymaxv2.exe
264	Spymaxv2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spymaxv2.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	APK-Injector Builder.sfx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	APK-Injector Builder.sfx.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1976	AUDIODG.EXE
Token: 33	1976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1976	AUDIODG.EXE
Token: SeDebugPrivilege	264	Spymaxv2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2840	Launcher.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2680	APK-Injector Builder.sfx.exe
2680	APK-Injector Builder.sfx.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2840	2680	APK-Injector Builder.sfx.exe	30
PID 2680 wrote to memory of 2840	2680	APK-Injector Builder.sfx.exe	30
PID 2680 wrote to memory of 2840	2680	APK-Injector Builder.sfx.exe	30

C:\Users\Admin\AppData\Local\Temp\APK-Injector Builder.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\APK-Injector Builder.sfx.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\Desktop\rec\pkg\Launcher.exe
  "C:\Users\Admin\Desktop\rec\pkg\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2840

C:\Users\Admin\Desktop\Spymaxv2.exe
"C:\Users\Admin\Desktop\Spymaxv2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x16c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\rec\pkg\Launcher.exe

Filesize
1.6MB

MD5
765bdc0f8bc0d77f7414e7a36ae45fd9

SHA1
c303968d61bfeb154a110549217d40bbdaa7439c

SHA256
aa8f8a3e268493157e62d93ab9cafb94573606fe43a80e63e3e4f2e5c9b22a5b

SHA512
5bb1267c5f4b7dc67d7da75af08ce616d5f518ea5469443ded642c2c7410256b370d1b01c355191ae9df8cb3e56ce31910ff153761787aad054148b12add5718

Download Submit
C:\Users\Admin\Desktop\rec\platform-tools\fastboot.exe

Filesize
1.6MB

MD5
243eff8bd862104fb399bcf1488b57a6

SHA1
b651c9260f11ffde765c978a588a95159e5be612

SHA256
917f35f86b35f5af676ae63ef2b8b4bd09b887a5643172d0c116aa7760015ff4

SHA512
ac6603af930fe655bfaebe0b5f36b147c39e0b4d1169e5973df68fbbd20f80f24b72f7cecd7f1412a59aeaf338cd2175326557536f1ec10c3d3caedc9c42beb4

Download Submit
\Users\Admin\Desktop\Newtonsoft.Json.dll

Filesize
540KB

MD5
633e5b8199d4fa9f43f088099375044b

SHA1
056b827aa06c7b4348342dd25cd725f4d79db7f0

SHA256
73919f46fa73cf7b9407bc3806719c7738c55bae10a75890545069f0441ee74d

SHA512
6b242e5fc8a4dd85a4abb1476da938fa8ac44317fc09b8daa1c27a66c1dbc284a079ba71388d4d9995f13dc06ce653c95b89b27e6279dd7135c3750a8762188f

Download Submit
memory/264-129-0x00000000012A0000-0x00000000022A0000-memory.dmp

Filesize
16.0MB

Download
memory/264-130-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/264-134-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/264-137-0x0000000017D70000-0x000000001A69A000-memory.dmp

Filesize
41.2MB

Download

Analysis

Sharing