Overview

overview

10

Static

static

10

a76599e3fc...e9.exe

windows7_x64

10

a76599e3fc...e9.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9

  • Size

    1.3MB

  • Sample

    220212-aqyyksfeel

  • MD5

    08676a0eaff0dc145df83c6e8da85920

  • SHA1

    729bfe1fcc9a31ee58ca56b7cc702b035838cb76

  • SHA256

    a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9

  • SHA512

    f80c3723a881de1317dfffabed8e07886651d8e6aa46b622562a4e726924bf7809e2101ed40e2316339067608febb6a2cf49a116a0cca791d9aea3afcf3e553e

Score
10/10
neshtaevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Read-this.txt

Ransom Note
All Your Files Has Been Encrypted You Have to Pay to Get Your Files Back 1-Go to C:\ProgramData\ or in Your other Drives and send us prvkey.txt.key file 2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data 3-Payment should be with Bitcoin 4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss Our Email:[email protected] in Case of no Answer:[email protected]
Emails

Email:[email protected]

Answer:[email protected]

Targets

    • Target

      a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9

    • Size

      1.3MB

    • MD5

      08676a0eaff0dc145df83c6e8da85920

    • SHA1

      729bfe1fcc9a31ee58ca56b7cc702b035838cb76

    • SHA256

      a76599e3fc1c23140ac11b4335416c3bc29b6d9a9c028ed845433dd47f18a2e9

    • SHA512

      f80c3723a881de1317dfffabed8e07886651d8e6aa46b622562a4e726924bf7809e2101ed40e2316339067608febb6a2cf49a116a0cca791d9aea3afcf3e553e

    Score
    10/10
    neshtaevasionpersistenceransomwarespywarestealer

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks