General
-
Target
fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3
-
Size
1.3MB
-
Sample
220212-amnnfaeaa5
-
MD5
12cc5ca0a03ca82b23d1e87c423342e6
-
SHA1
776cf95b5dd0e23acc0a4f729e117757caeb3057
-
SHA256
fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3
-
SHA512
7cb0723a4dde7d0412af3712bd320bc714b762f7e0833114bf4bad5d0fb16152986eaea184d3d25af6fa586e7d9ba7e8ac0eb34028ea860a38dd1ca46f5e2e5d
Static task
static1
Behavioral task
behavioral1
Sample
fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
C:\Read-this.txt
Targets
-
-
Target
fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3
-
Size
1.3MB
-
MD5
12cc5ca0a03ca82b23d1e87c423342e6
-
SHA1
776cf95b5dd0e23acc0a4f729e117757caeb3057
-
SHA256
fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3
-
SHA512
7cb0723a4dde7d0412af3712bd320bc714b762f7e0833114bf4bad5d0fb16152986eaea184d3d25af6fa586e7d9ba7e8ac0eb34028ea860a38dd1ca46f5e2e5d
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-