Time: 2025-12-15 11:28:21 UTC
Compromised Host: Contractorpc1 (192.168.10.11)
Suspicious IP address: 95.216.37.156
Possible Malware Family: Neshta
File Hash: 033f6d632bb7841e4d61a3ae05fa4e388b8d971117639440bc7154b1d9614507
Persistence Observed : C:\Users\administrator\AppData\Local\Microsoft\OneDrive\Update\update.xml
On ****2025-12-15 11:28:21 UTC, an attacker was successfully authenticated via RDP on ContractorPC1 compromising the account name of administrator. The observed process execution chain involving svchost.exe, OneDriveLauncher.exe, and FileCoAuth.exe aligns with normal Windows and OneDrive startup behaviour. However, Microsoft Defender detected Win32/Neshta.A due to malicious modification of these legitimate binaries. This malware family propagates by infecting existing executables and based on the observable evidence, a file creation event was observed named “update.xml” under the location “C:\Users\administrator\AppData\Local\Microsoft\OneDrive\Update\update.xml” used by OneDrive’s built-in update and maintenance mechanisms. the presence of update metadata explains repeated execution of OneDrive-related processes which the attacker used to masquerade as a form of persistence.
Host: Contractorpc1 (192.168.10.11)
Unauthorized ****Successful ****login ****via RDP, defender detected a malware: file infector virus which was believed to have infects legitimate executables of OneDriveLauncher.exe and FileCoAuth.exe files to possibly collection information about the system and its users.
Based on the investigation and evidence from Microsoft XDR, the infector file was observed on 2025-12-15 11:38:22 UTC last seen 2025-12-15 11:28:55 UTC– to determine if the activity is still on-going provided that the process was kill by the system, a file named “update.xml” was created and placed under the trusted OneDrive’s folder path, The malware achieved persistence by abusing OneDrive while masquerading inside legitimate binaries.
The activity took place on a computer with the IP address 192.168.10.11