Overview

overview

10

Static

static

10

fc1ba1cb40...c3.exe

windows7_x64

10

fc1ba1cb40...c3.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3

  • Size

    1.3MB

  • Sample

    220212-amnnfaeaa5

  • MD5

    12cc5ca0a03ca82b23d1e87c423342e6

  • SHA1

    776cf95b5dd0e23acc0a4f729e117757caeb3057

  • SHA256

    fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3

  • SHA512

    7cb0723a4dde7d0412af3712bd320bc714b762f7e0833114bf4bad5d0fb16152986eaea184d3d25af6fa586e7d9ba7e8ac0eb34028ea860a38dd1ca46f5e2e5d

Score
10/10
neshtaxmrigevasionminerpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Read-this.txt

Ransom Note
All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ or in Your other Drives and send us prvkey.txt.key file 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email:[email protected] in Case of no Answer:[email protected]
Emails

Email:[email protected]

Answer:[email protected]

Targets

    • Target

      fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3

    • Size

      1.3MB

    • MD5

      12cc5ca0a03ca82b23d1e87c423342e6

    • SHA1

      776cf95b5dd0e23acc0a4f729e117757caeb3057

    • SHA256

      fc1ba1cb407ee5e035e9dba0ff112cbd3e68c9ade61b0b6f6109210f4a951bc3

    • SHA512

      7cb0723a4dde7d0412af3712bd320bc714b762f7e0833114bf4bad5d0fb16152986eaea184d3d25af6fa586e7d9ba7e8ac0eb34028ea860a38dd1ca46f5e2e5d

    Score
    10/10
    neshtaxmrigevasionminerpersistenceransomwarespywarestealer

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks