neshta | b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6

Analysis

max time kernel
128s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
Size

90KB
MD5

00f11fbcf44beed85a399092e63c9d31
SHA1

379caa41e166c6b779ad7e547abfd64dfea36aab
SHA256

b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6
SHA512

6daa8a74739df97b7e91a864f9655039245410c6927e95779032a88093b258ecc2d6dd2a8197252aa38fdbeb99e61c32f3e51ce07f550cff73505183507bd892
SSDEEP

1536:JxqjQ+P04wsmJCMLznZ9iuo4Z726L/j98M6nJdV2otr/f9qilkOqN:sr85CMLrf24Z72q98M6nJ/2Otqz

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
behavioral2/memory/700-95-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/700-96-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/700-98-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

Drops file in Windows directory 1 IoCs

Processes:

b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

description ioc process

File opened for modification C:\Windows\svchost.com b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

Modifies registry class 1 IoCs

Processes:

b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe

C:\Users\Admin\AppData\Local\Temp\b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
"C:\Users\Admin\AppData\Local\Temp\b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:700

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\b586b266c46c66eec9f97961ae5fd1fe082bfdc37f9084d7b043959665b198f6.exe
Filesize
50KB

MD5
66a27a15aae707a72537e6b02280efc2

SHA1
3d0c5fcbfb83d5c50cb34fe32e87ad1d9c284016

SHA256
674f02f279767e9a173986c562a9a124561c0bf09731deffa934dd94d534df28

SHA512
b2a24695dfd3e6bd7549c515593d2168d6d51576871166e29f18ec0cefc8c12a9fca2af9c17f0a181dae45bd53bc68566119994a988877c505cd899a0140b7f4

Download Submit
memory/700-95-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/700-96-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/700-98-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download