Analysis
-
max time kernel
102s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
01-02-2025 07:39
General
-
Target
2025-02-01_956d4875855427a4eab2929413b397eb_makop_neshta.exe
-
Size
89KB
-
MD5
956d4875855427a4eab2929413b397eb
-
SHA1
f1b139d31050e53aef22d3cdee0a98c510165d99
-
SHA256
72b86cb783b57ef3a62fcce38ff308fdd303f38f73e8283356f5140e8607e2ea
-
SHA512
61a3fdeee055319b6c9c25c0f136cc4b07844d61c079f3cca23d79344f3add6d5edc397f95de8a61ca16f9fd45f4a05df997ae542a6ef4cdba27307966e763f3
-
SSDEEP
1536:JxqjQ+P04wsmJCPbInVXEedxaX318HxZATvnsblYO6CaPK7s:sr85CPIlHa318RZEvsbyOZaPus
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\+README-WARNING+.txt
Signatures
-
Detect Neshta payload 3 IoCs
-
MAKOP ransomware payload 1 IoCs
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Makop family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (8316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-01_956d4875855427a4eab2929413b397eb_makop_neshta.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-01_956d4875855427a4eab2929413b397eb_makop_neshta.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2025-02-01_956d4875855427a4eab2929413b397eb_makop_neshta.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2025-02-01_956d4875855427a4eab2929413b397eb_makop_neshta.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
1KB
MD5a0f66ba6e48fffac414993e930f3b2b5
SHA1424a2fc2f4e96ee9e08cb1ce854ddcc07bfdecc2
SHA25687e7f00690e9393defaf786d758cd2acb231a1a74e7926f4487e67963613357c
SHA512aa00577bf5e67a2eab3550b8e44c949e947251764e9e079045b5320955df306397d2a20231111708aec414252a9f4611a831305e68b41cbefd31d9e908ec1cbf
-
Filesize
8B
MD57d0f9a8e8fc7e94a548e6721490ce0ae
SHA13597427d86395f967a450dcd3beeb4902d1ecb83
SHA2568c92e7b32627b849ed826fc38f314b930ea3dd627aaa68fdd6c4ef3d0ef9e7db
SHA512ee772c8ca19ff946e34421a17ea8ec0c80ce14ac9e1ed6752190c674376f083c602e495884ac89518057342c7dc09b3d6ff8bfa7e72f0328efd70627b9a5f72a
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
49KB
MD5f2f90ff3ef928a4c328d8fafdd6f5b4d
SHA1a9c5f68926f1c5a1f4af3b90568e37d32f667a09
SHA256a746ab28531910fd2cdc915a37974ce5c9cfc6f7c697ebec523e2e2766b19035
SHA512f18554bf4c417542edd26bbb117b8187625d060889de31c23095b3a7df9f0c700a51307c44d2b7e7c56b0cec2d9d6ef5abfa29768867087fb0d10e0081063707
-
Filesize
108KB
-
Filesize
108KB