General
-
Target
bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174
-
Size
63KB
-
Sample
240706-cd9wessejr
-
MD5
9cfc47f2c14f7024d74cb09ec44e5796
-
SHA1
0f9a9147d8b90d5ead7483594f50b5583df969d9
-
SHA256
bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174
-
SHA512
5d93da9250592020bc55c26c67960340cabbacb9174881fc15e353113b8346bf5d7d03f77ab9d48ba70f123b5072b40b8e8b8a7fb1f5e46f871af03c57e8a444
-
SSDEEP
1536:FFE881aPmpWCKOSLNxfdmR4Ykqr3K3Ss2ehzYGvKwvWa:FFG1aup0OSRm2YFraCs2euGiGWa
Behavioral task
behavioral1
Sample
新建文件夹/fast.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
新建文件夹/fast.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
新建文件夹/svchost.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
新建文件夹/svchost.exe
Resource
win10v2004-20240704-en
Malware Config
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Targets
-
-
Target
新建文件夹/fast.exe
-
Size
56KB
-
MD5
9ad577d23f402be16acb2bdd9619aaf2
-
SHA1
054e7451b8394d33bd59201653801fe1313a4841
-
SHA256
0d990218e7ca3beff50d56a7cd3c6325c32e98413554e1b5614f101923706032
-
SHA512
b1be8815efdf59bc5fc2d0602cc01ce123edaea5b803c1733a33fdaf95b1172bb39f8cb762eb07c6d943b3e12789a053feb9c14a50ec8eb82fa491a55a7658ce
-
SSDEEP
1536:CNeRBl5PT/rx1mzwRMSTdLpJCMBrzQM5+N:CQRrmzwR5JVUN
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
新建文件夹/svchost.com
-
Size
40KB
-
MD5
13058802fd08204a986fefda371c984e
-
SHA1
18ca69efc8c46fbcb8a8905ab5ddcb1c57db6bd1
-
SHA256
40df0e0008b6342068604c7c159a1b4f81b149e4ddb674ceafe49c71b066c330
-
SHA512
9ad85c30155fceb6a9f6455e03d5bfeced9e3bc366f2bfba537c393e81dd664ee58cb5a480531da510cf620aea9514ccb6bcc232f6e551c3b9d1491d00672fb2
-
SSDEEP
768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJFbxYuXlBg:JxqjQ+P04wsmJCcbxZXL
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies system executable filetype association
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
3