General
-
Target
240426-w39rhahe53_pw_infected.zip
-
Size
63KB
-
Sample
240426-2rzeaaee8y
-
MD5
1bd3e3af079dc3728c8fcccc62712cf6
-
SHA1
ec9c524c569cdb825013736a9152434d78c9e332
-
SHA256
7ad27c7e62ff08d9c6398c7471e61f77bf84d42ac29c8a74283ca84dec2d66be
-
SHA512
b149e6fd783f8342061b758e0524374b9c1ef6183d5365591e5d72f59f6e92b16ee16211606c344a84d7f3ce3fb4458aea8ba9c59552bfe267cd59357a705095
-
SSDEEP
1536:+uwaGXs+oFfV9/h6rhntCR+C2MiaPxjAZTRWnaSD:+uZGcvff/kr9mVIAxjA3WJD
Behavioral task
behavioral1
Sample
2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe
Resource
win7-20240221-en
Malware Config
Extracted
C:\info.hta
class='mark'>datarestore@cock.lu</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos
-
Size
96KB
-
MD5
5ccd142bdebf68e32028807f80f86fa7
-
SHA1
362e35e58969ab6e6d9b232638868dd2217924a6
-
SHA256
d76da951ef6377b92f18c4bac0d69649ad87d4b38505d01084e74e225ef1c23b
-
SHA512
417a8ebe48f4bc787fb958e56d507864659507fc6188675a9f7e4b1b36b4ae68f3bbdff4318e0787987f95348ce9d95456fdcd243057353561dbe573de6f5960
-
SSDEEP
1536:JxqjQ+P04wsmJCHxaQa5Y5pfHbRZMwNeRBl5PT/rx1mzwRMSTdLpJmM:sr85CwV5Y5ptPQRrmzwR5Jz
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
3File Deletion
3Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3