General
-
Target
2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos
-
Size
96KB
-
Sample
240426-w39rhahe53
-
MD5
5ccd142bdebf68e32028807f80f86fa7
-
SHA1
362e35e58969ab6e6d9b232638868dd2217924a6
-
SHA256
d76da951ef6377b92f18c4bac0d69649ad87d4b38505d01084e74e225ef1c23b
-
SHA512
417a8ebe48f4bc787fb958e56d507864659507fc6188675a9f7e4b1b36b4ae68f3bbdff4318e0787987f95348ce9d95456fdcd243057353561dbe573de6f5960
-
SSDEEP
1536:JxqjQ+P04wsmJCHxaQa5Y5pfHbRZMwNeRBl5PT/rx1mzwRMSTdLpJmM:sr85CwV5Y5ptPQRrmzwR5Jz
Behavioral task
behavioral1
Sample
2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
C:\info.hta
class='mark'>datarestore@cock.lu</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\info.hta
class='mark'>datarestore@cock.lu</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
2024-04-26_5ccd142bdebf68e32028807f80f86fa7_neshta_phobos
-
Size
96KB
-
MD5
5ccd142bdebf68e32028807f80f86fa7
-
SHA1
362e35e58969ab6e6d9b232638868dd2217924a6
-
SHA256
d76da951ef6377b92f18c4bac0d69649ad87d4b38505d01084e74e225ef1c23b
-
SHA512
417a8ebe48f4bc787fb958e56d507864659507fc6188675a9f7e4b1b36b4ae68f3bbdff4318e0787987f95348ce9d95456fdcd243057353561dbe573de6f5960
-
SSDEEP
1536:JxqjQ+P04wsmJCHxaQa5Y5pfHbRZMwNeRBl5PT/rx1mzwRMSTdLpJmM:sr85CwV5Y5ptPQRrmzwR5Jz
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (320) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
3File Deletion
3Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3