Overview

overview

10

Static

static

10

9493660c3d...79.exe

windows7-x64

10

9493660c3d...79.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79

  • Size

    158KB

  • Sample

    240620-a1zmvsyhrc

  • MD5

    629205c3fafec1ec163409031790146d

  • SHA1

    1bd9432378e21774324a4f0e34f4f6933ccb94b0

  • SHA256

    9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79

  • SHA512

    40305f90a85572da5269c0f5c9589f5ddb5c603e8cad6faebc2f9de53cdee99781970447f194822ed912c77f3abe0956996d4ee4e1f7edd4c7b06b497ada6e45

  • SSDEEP

    1536:JxqjQ+P04wsmJCu8SBKygMc5FWF96RDW3Mz8c+nowfs6Zfe7MI8ACc+aprlOxqjh:sr85CpSfg5Fo6xdwc+08anp9r85C

Score
10/10
neshtaphorphiexevasionloaderpersistencespywarestealertrojanworm

Malware Config

Targets

    • Target

      9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79

    • Size

      158KB

    • MD5

      629205c3fafec1ec163409031790146d

    • SHA1

      1bd9432378e21774324a4f0e34f4f6933ccb94b0

    • SHA256

      9493660c3d8cd4ddb6df8fee3c8f1470c876cf9076311e5f26c3fd4218a74b79

    • SHA512

      40305f90a85572da5269c0f5c9589f5ddb5c603e8cad6faebc2f9de53cdee99781970447f194822ed912c77f3abe0956996d4ee4e1f7edd4c7b06b497ada6e45

    • SSDEEP

      1536:JxqjQ+P04wsmJCu8SBKygMc5FWF96RDW3Mz8c+nowfs6Zfe7MI8ACc+aprlOxqjh:sr85CpSfg5Fo6xdwc+08anp9r85C

    Score
    10/10
    neshtaphorphiexevasionloaderpersistencespywarestealertrojanworm

    • Detect Neshta payload

    • Modifies security service

      evasion

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

      evasiontrojan

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks