General
-
Target
A Лgpj.exe
-
Size
685KB
-
Sample
240717-q2mbxstbmr
-
MD5
c7c5e457968b1ee3bd9b78de3fb1a85b
-
SHA1
577da3fbd37a5d62ba0c0140a11a37d7862a2809
-
SHA256
42401e825ec7e5a59c7a9130eba566504aa40bffcbc5df263b8edf00625dc6c1
-
SHA512
620f9a1ba9a132595d172eadd863533e14ac48811ebecfdf653a2dd06b455a2fa5fa9fe24d3cfa13e8c6f1090eb2430147a5fe54d35b3d3e64d084bd4976c26e
-
SSDEEP
12288:jyveQB/fTHIGaPkKEYzURNAwbAg8HPsR5c8MAg4emyWqVwhAOJ/JTkG:juDXTIGaPhEYzUzA0qpVROJtkG
Static task
static1
Behavioral task
behavioral1
Sample
A Лgpj.exe
Resource
win7-20240708-en
Malware Config
Extracted
xworm
127.0.0.1:14365
21.ip.gl.ply.gg:14365
-
Install_directory
%Userprofile%
-
install_file
USB.exe
Targets
-
-
Target
A Лgpj.exe
-
Size
685KB
-
MD5
c7c5e457968b1ee3bd9b78de3fb1a85b
-
SHA1
577da3fbd37a5d62ba0c0140a11a37d7862a2809
-
SHA256
42401e825ec7e5a59c7a9130eba566504aa40bffcbc5df263b8edf00625dc6c1
-
SHA512
620f9a1ba9a132595d172eadd863533e14ac48811ebecfdf653a2dd06b455a2fa5fa9fe24d3cfa13e8c6f1090eb2430147a5fe54d35b3d3e64d084bd4976c26e
-
SSDEEP
12288:jyveQB/fTHIGaPkKEYzURNAwbAg8HPsR5c8MAg4emyWqVwhAOJ/JTkG:juDXTIGaPhEYzUzA0qpVROJtkG
-
Detect Neshta payload
-
Detect Xworm Payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1