Overview

overview

10

Static

static

1

kam.cmd

windows7-x64

10

kam.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    kam.cmd

  • Size

    6KB

  • Sample

    240523-tv7wtshb22

  • MD5

    c32ba3b07c8f7fec2d3b665e6c7b721e

  • SHA1

    b4b05b772cfa9350934afffc9dcd9dc97593978e

  • SHA256

    320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9

  • SHA512

    16e043dfbc62e16388a8c5557247dff151ee6458aa609dc83d71b8b99fb78d4483de4500c4487e40c3c194a6e96a0a839e07f7bba7bbd6ef1876b5f90fda9f64

  • SSDEEP

    96:cQYS1jOk72delutVRuj9cGXDHwKx7l9VPl73Y1gyMc1jTCc9WGwqdyl7doL:Q1c2deeVwDTHtx7hPl73U91CsWGw1qL

Score
10/10
neshtaexecutionpersistencespyware

Malware Config

Targets

    • Target

      kam.cmd

    • Size

      6KB

    • MD5

      c32ba3b07c8f7fec2d3b665e6c7b721e

    • SHA1

      b4b05b772cfa9350934afffc9dcd9dc97593978e

    • SHA256

      320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9

    • SHA512

      16e043dfbc62e16388a8c5557247dff151ee6458aa609dc83d71b8b99fb78d4483de4500c4487e40c3c194a6e96a0a839e07f7bba7bbd6ef1876b5f90fda9f64

    • SSDEEP

      96:cQYS1jOk72delutVRuj9cGXDHwKx7l9VPl73Y1gyMc1jTCc9WGwqdyl7doL:Q1c2deeVwDTHtx7hPl73U91CsWGw1qL

    Score
    10/10
    neshtaexecutionpersistencespyware

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks