General
-
Target
2024-05-17_966b17c7522bb20a227f96e6f4a070e1_neshta_phobos
-
Size
96KB
-
Sample
240517-y9lpcshe7t
-
MD5
966b17c7522bb20a227f96e6f4a070e1
-
SHA1
9b90dafdc8ca885925f146789c935f9ed8edc04e
-
SHA256
aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7
-
SHA512
85efbd360e6707dba220bbb56238847a841363aa404451b02edcc3a7846bc8b126bf717c75c41c02e48b36a5fed80d662769df054d8a2af342dc2ce115f18003
-
SSDEEP
1536:JxqjQ+P04wsmJCu/SOILXy8IwNeRBl5PT/rx1mzwRMSTdLpJeM:sr85COkXhQRrmzwR5Jb
Behavioral task
behavioral1
Sample
2024-05-17_966b17c7522bb20a227f96e6f4a070e1_neshta_phobos.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-05-17_966b17c7522bb20a227f96e6f4a070e1_neshta_phobos.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\info.hta
class='mark'>datarestore@cock.lu</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\info.hta
class='mark'>datarestore@cock.lu</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Targets
-
-
Target
2024-05-17_966b17c7522bb20a227f96e6f4a070e1_neshta_phobos
-
Size
96KB
-
MD5
966b17c7522bb20a227f96e6f4a070e1
-
SHA1
9b90dafdc8ca885925f146789c935f9ed8edc04e
-
SHA256
aa6bad227554bc1aeac6c0fb434b752c195873bdd4d07155948c1418337575a7
-
SHA512
85efbd360e6707dba220bbb56238847a841363aa404451b02edcc3a7846bc8b126bf717c75c41c02e48b36a5fed80d662769df054d8a2af342dc2ce115f18003
-
SSDEEP
1536:JxqjQ+P04wsmJCu/SOILXy8IwNeRBl5PT/rx1mzwRMSTdLpJeM:sr85COkXhQRrmzwR5Jb
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (307) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
3File Deletion
3Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3