General
-
Target
2024-03-28_7c3a91058402c3a2b5797fc63643e935_neshta_phobos
-
Size
96KB
-
Sample
240328-qyrggafe3s
-
MD5
7c3a91058402c3a2b5797fc63643e935
-
SHA1
7f7315165d88be6a38edc39092c88465826c0e32
-
SHA256
07ec14da6707934627f3342dbb9034d25ea159f30bb0ad7fb49a342328cecde5
-
SHA512
fe009e784705a721080d41044b0c40601321340d359a00064ab4517e411e5b8deacde2915a18d14e347f1a0e0ae7165800800ec2d5cbd6d13c5703a2ae0ea599
-
SSDEEP
1536:JxqjQ+P04wsmJCdvxN9bjayXk45JNeRBl5PT/rx1mzwRMSTdLpJdM:sr85CdpN9bXkKQRrmzwR5Jq
Behavioral task
behavioral1
Sample
2024-03-28_7c3a91058402c3a2b5797fc63643e935_neshta_phobos.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-03-28_7c3a91058402c3a2b5797fc63643e935_neshta_phobos.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
C:\info.hta
class='mark'>Hunter-X@tuta.io</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
2024-03-28_7c3a91058402c3a2b5797fc63643e935_neshta_phobos
-
Size
96KB
-
MD5
7c3a91058402c3a2b5797fc63643e935
-
SHA1
7f7315165d88be6a38edc39092c88465826c0e32
-
SHA256
07ec14da6707934627f3342dbb9034d25ea159f30bb0ad7fb49a342328cecde5
-
SHA512
fe009e784705a721080d41044b0c40601321340d359a00064ab4517e411e5b8deacde2915a18d14e347f1a0e0ae7165800800ec2d5cbd6d13c5703a2ae0ea599
-
SSDEEP
1536:JxqjQ+P04wsmJCdvxN9bjayXk45JNeRBl5PT/rx1mzwRMSTdLpJdM:sr85CdpN9bXkKQRrmzwR5Jq
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
3File Deletion
3Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3