Overview

overview

10

Static

static

10

c7bf35ae06...44.exe

windows7-x64

10

c7bf35ae06...44.exe

windows10-2004-x64

10

Resubmissions

18-01-2023 05:55

230118-gmgy8aah37 10

07-11-2022 07:03

221107-hvgh4adce6 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c7bf35ae066d80a2f2a0381f30fd1f426514ee403e4f41810b317f4fd8ad5a44

  • Size

    96KB

  • Sample

    230118-gmgy8aah37

  • MD5

    f45a2a3e4a24c3ea9fb86ba430cd0afe

  • SHA1

    7909730d282bafeecaaf61beabfa0d40c29fd986

  • SHA256

    c7bf35ae066d80a2f2a0381f30fd1f426514ee403e4f41810b317f4fd8ad5a44

  • SHA512

    0f6c46cd6da0655113c3971d66467f96a9c41ac0e51ed3342e07c04b60b0ac0b2f3e759f60b19c457599a9a7419a2498534ac980417e40c5aaf2639b1907c4bc

  • SSDEEP

    1536:JxqjQ+P04wsmJCWQ5/s/JCnpNeRBl5PT/rx1mzwRMSTdLpJZM:sr85CFGYpQRrmzwR5Ju

Score
10/10
neshtaphobosevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      c7bf35ae066d80a2f2a0381f30fd1f426514ee403e4f41810b317f4fd8ad5a44

    • Size

      96KB

    • MD5

      f45a2a3e4a24c3ea9fb86ba430cd0afe

    • SHA1

      7909730d282bafeecaaf61beabfa0d40c29fd986

    • SHA256

      c7bf35ae066d80a2f2a0381f30fd1f426514ee403e4f41810b317f4fd8ad5a44

    • SHA512

      0f6c46cd6da0655113c3971d66467f96a9c41ac0e51ed3342e07c04b60b0ac0b2f3e759f60b19c457599a9a7419a2498534ac980417e40c5aaf2639b1907c4bc

    • SSDEEP

      1536:JxqjQ+P04wsmJCWQ5/s/JCnpNeRBl5PT/rx1mzwRMSTdLpJZM:sr85CFGYpQRrmzwR5Ju

    Score
    10/10
    neshtaphobosevasionpersistenceransomwarespywarestealer

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks