General
-
Target
kdmapper.rar
-
Size
212KB
-
Sample
240521-waf9gsdb49
-
MD5
6865e4056761d624996aa64549e28858
-
SHA1
8a10286c90d86baec7025b8b2d011dea02b3b5fd
-
SHA256
fc68c8abc16227d7157a7666f71919af2702a891419d74e6fed5f4b324e3487d
-
SHA512
f6d803a880cd888d37a7f902c0bcaa097ae85646aa55abb1d268de07fa0637caa7abed61442664b7b67b26e4fe30099a4e7d4f5ea5693181c20eeca21cdc6a6b
-
SSDEEP
6144:nOc9vYyX9/A0J8yMg8hMB5+MKs9IXfyiaz:j9vYS9/A0KG5sXfuz
Static task
static1
Malware Config
Extracted
xworm
45.88.90.228:7000
178.215.236.228:7000
-
Install_directory
%ProgramData%
-
install_file
RtkAudUService64.exe
Targets
-
-
Target
kdmapper/kdmapper.exe
-
Size
213KB
-
MD5
8b0bec71c0c9bfb67fc51cfeca662758
-
SHA1
aac11a7bcc44ac97f609375271d60b47d09764b6
-
SHA256
8b20f47382ac9fb608e568787d9d2974a3c3716bf56ba0208ef5599b19db4a1c
-
SHA512
0e62b0c72caccdc35307bf9175c101ac3b1076f918db54605bad71097104befff8d818977401ed808bfc8b1abc56c8c5af243bc9fdc51ee4e8b50fb1bfbb25b8
-
SSDEEP
6144:tTsNwAJb5JrD89A32tvPHilDRfc8t0hVkPn:tAN9JFJrD89akvm9f5OVk
-
Detect Neshta payload
-
Detect Xworm Payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1