neshta | 87442a5ddc7c73ca68f99314464462d98dcdd5954a79faccc866a71d93d519c4

General

Target

APK-Injector Builder.sfx.exe
Size

98.2MB
MD5

77c5e7efcfceff0bca57fb9598e02919
SHA1

f339200cd9ec719d10bfa3140e3da837c52990d5
SHA256

87442a5ddc7c73ca68f99314464462d98dcdd5954a79faccc866a71d93d519c4
SHA512

a74ae51d3090966cf422aea24df1c242e1740749224f70f82b2fb6a515fc23b5e54552b726a2b8fd2ccfc7bf0116adadab4579c9484e2cf9301991d976b9a4f0
SSDEEP

1572864:zys4tDEOstPFXABNDRPJOKruqbz0BJIQ5j+Sg6nrsWRPCE9nGkk4l7+QyU4G:T4thEtKNDRxOUz0oQ5jTzVM1k/8Ql4G

Score

10^/10

neshta discovery persistence spyware upx

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019515-34.dat	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 3 IoCs

pid	Process
2988	Launcher.exe
1072	Launcher.exe
2844	Spymaxv2.exe

Loads dropped DLL 4 IoCs

pid	Process
2072	APK-Injector Builder.sfx.exe
1072	Launcher.exe
1268	Process not Found
1268	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a479-142.dat	upx
behavioral1/memory/1072-144-0x000007FEF4470000-0x000007FEF48D6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spymaxv2.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	APK-Injector Builder.sfx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	APK-Injector Builder.sfx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2072	APK-Injector Builder.sfx.exe
2072	APK-Injector Builder.sfx.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2988	2072	APK-Injector Builder.sfx.exe	30
PID 2072 wrote to memory of 2988	2072	APK-Injector Builder.sfx.exe	30
PID 2072 wrote to memory of 2988	2072	APK-Injector Builder.sfx.exe	30
PID 2988 wrote to memory of 1072	2988	Launcher.exe	31
PID 2988 wrote to memory of 1072	2988	Launcher.exe	31
PID 2988 wrote to memory of 1072	2988	Launcher.exe	31

C:\Users\Admin\AppData\Local\Temp\APK-Injector Builder.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\APK-Injector Builder.sfx.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\Desktop\rec\pkg\Launcher.exe
  "C:\Users\Admin\Desktop\rec\pkg\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\Desktop\rec\pkg\Launcher.exe
    "C:\Users\Admin\Desktop\rec\pkg\Launcher.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1072

C:\Users\Admin\Desktop\Spymaxv2.exe
"C:\Users\Admin\Desktop\Spymaxv2.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29882\python310.dll

Filesize
1.4MB

MD5
3f782cf7874b03c1d20ed90d370f4329

SHA1
08a2b4a21092321de1dcad1bb2afb660b0fa7749

SHA256
2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6

SHA512
950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

Download Submit
C:\Users\Admin\Desktop\rec\platform-tools\fastboot.exe

Filesize
1.6MB

MD5
243eff8bd862104fb399bcf1488b57a6

SHA1
b651c9260f11ffde765c978a588a95159e5be612

SHA256
917f35f86b35f5af676ae63ef2b8b4bd09b887a5643172d0c116aa7760015ff4

SHA512
ac6603af930fe655bfaebe0b5f36b147c39e0b4d1169e5973df68fbbd20f80f24b72f7cecd7f1412a59aeaf338cd2175326557536f1ec10c3d3caedc9c42beb4

Download Submit
\Users\Admin\Desktop\rec\pkg\Launcher.exe

Filesize
5.9MB

MD5
e632dad63d85e326f996d29455a73c5e

SHA1
b2790f28c60841c2cfd9334dc2b3d35a68965e56

SHA256
b3f3b2509384e16b578e69b3702074f91d76dd43dffc7f427072346d30900140

SHA512
8e68cecd310c0a7a27076b2d6f53b9b578e641d46d554ebf5fca33baac2741d8a501cb2728cf7870dc7a42dac8a2077bf1103a3ef190efb880035aec8ba5247a

Download Submit
memory/1072-144-0x000007FEF4470000-0x000007FEF48D6000-memory.dmp

Filesize
4.4MB

Download
memory/2844-169-0x00000000013B0000-0x00000000023B0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing