Overview

overview

10

Static

static

10

svchost.exe

windows10-2004-x64

Resubmissions

01-06-2023 10:07

230601-l5tsyseb2s 10

01-06-2023 09:47

230601-lsp91aea4y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    svchost.exe

  • Size

    98KB

  • Sample

    230601-l5tsyseb2s

  • MD5

    9a1695e1acd4ae173365e8b740a8481c

  • SHA1

    5e81eca5d5851787a69cb79aebce1dcb7dde441e

  • SHA256

    736a83eea1a6f524b085cf1647ee5c26dd6749e6546749f951ca268c0e88f0ac

  • SHA512

    7446376ea758d6adaa728a9ab282559dcc0f31bb6d50763187ab7461f18da3865fa01a91418b274b0a6b1bf292702b4968a951801c073c1afaaf05dbedde8ec3

  • SSDEEP

    1536:JxqjQ+P04wsmJC+NGO46pNeRBl5PT/rx1mzwRMSTdLpJJM:sr85C+NNQRrmzwR5Je

Score
10/10
neshtaphobosevasionpersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      svchost.exe

    • Size

      98KB

    • MD5

      9a1695e1acd4ae173365e8b740a8481c

    • SHA1

      5e81eca5d5851787a69cb79aebce1dcb7dde441e

    • SHA256

      736a83eea1a6f524b085cf1647ee5c26dd6749e6546749f951ca268c0e88f0ac

    • SHA512

      7446376ea758d6adaa728a9ab282559dcc0f31bb6d50763187ab7461f18da3865fa01a91418b274b0a6b1bf292702b4968a951801c073c1afaaf05dbedde8ec3

    • SSDEEP

      1536:JxqjQ+P04wsmJC+NGO46pNeRBl5PT/rx1mzwRMSTdLpJJM:sr85C+NNQRrmzwR5Je

    Score
    10/10
    neshtaphobosevasionpersistenceransomwarespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (369) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks