General
-
Target
c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6
-
Size
63KB
-
Sample
240704-tjp7ms1djb
-
MD5
17b368698ffc4be537f89bd9369f6f59
-
SHA1
ed3cea7a3f3ec7ac85ab73bd7006d49f3e66676b
-
SHA256
c36f650adbd3d2274ff5b8a86874d845293041710e149e96b7cc11f584b22dd6
-
SHA512
15f6954b12afcd6bf7a2b611585742686a0b13b2b57dcc213ff035942b0dbd269b0ff7f1e6de115e5f5cd8e40e925a26e1985184f0d2206752f2dc549729435a
-
SSDEEP
1536:YmDiCZ9S39tz6azEP3j5XbRGFVWhHLm6uYndduu:ZDi+a9tz6azEvlXbRGFVWlnuYeu
Behavioral task
behavioral1
Sample
新建文件夹/fast.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
新建文件夹/fast.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
新建文件夹/svchost.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
新建文件夹/svchost.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Targets
-
-
Target
新建文件夹/fast.exe
-
Size
56KB
-
MD5
9ad577d23f402be16acb2bdd9619aaf2
-
SHA1
054e7451b8394d33bd59201653801fe1313a4841
-
SHA256
0d990218e7ca3beff50d56a7cd3c6325c32e98413554e1b5614f101923706032
-
SHA512
b1be8815efdf59bc5fc2d0602cc01ce123edaea5b803c1733a33fdaf95b1172bb39f8cb762eb07c6d943b3e12789a053feb9c14a50ec8eb82fa491a55a7658ce
-
SSDEEP
1536:CNeRBl5PT/rx1mzwRMSTdLpJCMBrzQM5+N:CQRrmzwR5JVUN
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (313) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
新建文件夹/svchost.com
-
Size
40KB
-
MD5
13058802fd08204a986fefda371c984e
-
SHA1
18ca69efc8c46fbcb8a8905ab5ddcb1c57db6bd1
-
SHA256
40df0e0008b6342068604c7c159a1b4f81b149e4ddb674ceafe49c71b066c330
-
SHA512
9ad85c30155fceb6a9f6455e03d5bfeced9e3bc366f2bfba537c393e81dd664ee58cb5a480531da510cf620aea9514ccb6bcc232f6e551c3b9d1491d00672fb2
-
SSDEEP
768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJFbxYuXlBg:JxqjQ+P04wsmJCcbxZXL
Score10/10-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Modifies system executable filetype association
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Indicator Removal
3File Deletion
3Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Direct Volume Access
1