General
-
Target
bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174
-
Size
63KB
-
Sample
240706-cd9wessejr
-
MD5
9cfc47f2c14f7024d74cb09ec44e5796
-
SHA1
0f9a9147d8b90d5ead7483594f50b5583df969d9
-
SHA256
bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174
-
SHA512
5d93da9250592020bc55c26c67960340cabbacb9174881fc15e353113b8346bf5d7d03f77ab9d48ba70f123b5072b40b8e8b8a7fb1f5e46f871af03c57e8a444
-
SSDEEP
1536:FFE881aPmpWCKOSLNxfdmR4Ykqr3K3Ss2ehzYGvKwvWa:FFG1aup0OSRm2YFraCs2euGiGWa
Behavioral task
behavioral1
Sample
新建文件夹/fast.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
新建文件夹/fast.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
新建文件夹/svchost.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
新建文件夹/svchost.exe
Resource
win10v2004-20240704-en
Malware Config
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Targets
-
-
Target
新建文件夹/fast.exe
-
Size
56KB
-
MD5
9ad577d23f402be16acb2bdd9619aaf2
-
SHA1
054e7451b8394d33bd59201653801fe1313a4841
-
SHA256
0d990218e7ca3beff50d56a7cd3c6325c32e98413554e1b5614f101923706032
-
SHA512
b1be8815efdf59bc5fc2d0602cc01ce123edaea5b803c1733a33fdaf95b1172bb39f8cb762eb07c6d943b3e12789a053feb9c14a50ec8eb82fa491a55a7658ce
-
SSDEEP
1536:CNeRBl5PT/rx1mzwRMSTdLpJCMBrzQM5+N:CQRrmzwR5JVUN
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
新建文件夹/svchost.com
-
Size
40KB
-
MD5
13058802fd08204a986fefda371c984e
-
SHA1
18ca69efc8c46fbcb8a8905ab5ddcb1c57db6bd1
-
SHA256
40df0e0008b6342068604c7c159a1b4f81b149e4ddb674ceafe49c71b066c330
-
SHA512
9ad85c30155fceb6a9f6455e03d5bfeced9e3bc366f2bfba537c393e81dd664ee58cb5a480531da510cf620aea9514ccb6bcc232f6e551c3b9d1491d00672fb2
-
SSDEEP
768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJFbxYuXlBg:JxqjQ+P04wsmJCcbxZXL
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies system executable filetype association
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Indicator Removal
3File Deletion
3Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Direct Volume Access
1