Resubmissions
19-10-2024 11:46
241019-nxh3lawepj 1019-10-2024 11:42
241019-nvc4kathmg 719-10-2024 11:38
241019-nrspvawcnp 1019-10-2024 11:33
241019-nnzc8atfla 1019-10-2024 11:27
241019-nkpplswakl 1019-10-2024 11:23
241019-nhfnxsvhmk 1019-10-2024 11:11
241019-najevashqf 1019-10-2024 11:07
241019-m762qssgph 3General
-
Target
6812964531.exe
-
Size
67KB
-
Sample
241019-nnzc8atfla
-
MD5
7de65122a13ab9d81368ee3dff3cc80a
-
SHA1
ecbb4db641431d4d672e4b88e8d309419fd32f04
-
SHA256
a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123
-
SHA512
b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401
-
SSDEEP
1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj
Static task
static1
Malware Config
Targets
-
-
Target
6812964531.exe
-
Size
67KB
-
MD5
7de65122a13ab9d81368ee3dff3cc80a
-
SHA1
ecbb4db641431d4d672e4b88e8d309419fd32f04
-
SHA256
a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123
-
SHA512
b156d77a665c3256ddfd016e46105b6e87db6a4c1ca77e9bb25b221c368f3cc53dddc7159602cfb926ef0cc9bacac57b6bd41e7e28998883c996727d58d29401
-
SSDEEP
1536:pr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/EXyBej:h7PEg3qcv5PvB/EVj
-
Detect Neshta payload
-
Detect Umbral payload
-
Modifies WinLogon for persistence
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1