General
-
Target
c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6
-
Size
63KB
-
Sample
240704-tjp7ms1djb
-
MD5
17b368698ffc4be537f89bd9369f6f59
-
SHA1
ed3cea7a3f3ec7ac85ab73bd7006d49f3e66676b
-
SHA256
c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6
-
SHA512
15f6954b12afcd6bf7a2b611585742686a0b13b2b57dcc213ff035942b0dbd269b0ff7f1e6de115e5f5cd8e40e925a26e1985184f0d2206752f2dc549729435a
-
SSDEEP
1536:YmDiCZ9S39tz6azEP3j5XbRGFVWhHLm6uYndduu:ZDi+a9tz6azEvlXbRGFVWlnuYeu
Behavioral task
behavioral1
Sample
新建文件夹/fast.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
新建文件夹/fast.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
新建文件夹/svchost.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
新建文件夹/svchost.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Targets
-
-
Target
新建文件夹/fast.exe
-
Size
56KB
-
MD5
9ad577d23f402be16acb2bdd9619aaf2
-
SHA1
054e7451b8394d33bd59201653801fe1313a4841
-
SHA256
0d990218e7ca3beff50d56a7cd3c6325c32e98413554e1b5614f101923706032
-
SHA512
b1be8815efdf59bc5fc2d0602cc01ce123edaea5b803c1733a33fdaf95b1172bb39f8cb762eb07c6d943b3e12789a053feb9c14a50ec8eb82fa491a55a7658ce
-
SSDEEP
1536:CNeRBl5PT/rx1mzwRMSTdLpJCMBrzQM5+N:CQRrmzwR5JVUN
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
新建文件夹/svchost.com
-
Size
40KB
-
MD5
13058802fd08204a986fefda371c984e
-
SHA1
18ca69efc8c46fbcb8a8905ab5ddcb1c57db6bd1
-
SHA256
40df0e0008b6342068604c7c159a1b4f81b149e4ddb674ceafe49c71b066c330
-
SHA512
9ad85c30155fceb6a9f6455e03d5bfeced9e3bc366f2bfba537c393e81dd664ee58cb5a480531da510cf620aea9514ccb6bcc232f6e551c3b9d1491d00672fb2
-
SSDEEP
768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJFbxYuXlBg:JxqjQ+P04wsmJCcbxZXL
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies system executable filetype association
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
3