Overview

overview

10

Static

static

10

001938ed01...1d.exe

windows7-x64

10

001938ed01...1d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d

  • Size

    257KB

  • Sample

    220816-x5x16agba5

  • MD5

    981526650af8d6f8f20177a26abb513a

  • SHA1

    4fee2cb5c98abbe556e9c7ccfebe9df4f8cde53f

  • SHA256

    001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d

  • SHA512

    08148c9d8b1ff5e580dc21ac63664585855dc20d8a5a6fd6de8382150442314f6747a4d40c4bc941d1351e86d1aa641e1667c5041e85cd0934d56330f7e6ada5

  • SSDEEP

    6144:k957WWlJmcyfwAPWna4DQFu/U3buRKlemZ9DnGAevIG6+VyJE1yR:O7WWKvhPWa4DQFu/U3buRKlemZ9DnGAN

Score
10/10
neshtapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
ALL YOUR FILES HAVE BEEN ENCRYPTED BY "VICE SOCIETY" All your important documents, photos, databases were stolen and encrypted. If you don't contact us in 7 days we will upload your files to darknet. The only method of recovering files is to purchase an unique private key. We are the only who can give you tool to recover your files. To prove that we have the key and it works you can send us 2 files and we decrypt it for free (not more than 2 MB each). This file should be not valuable! Write to email: [email protected] Alternative email: [email protected] Public emai:l [email protected] Our tor website: vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.
URLs

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion

Targets

    • Target

      001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d

    • Size

      257KB

    • MD5

      981526650af8d6f8f20177a26abb513a

    • SHA1

      4fee2cb5c98abbe556e9c7ccfebe9df4f8cde53f

    • SHA256

      001938ed01bfde6b100927ff8199c65d1bff30381b80b846f2e3fe5a0d2df21d

    • SHA512

      08148c9d8b1ff5e580dc21ac63664585855dc20d8a5a6fd6de8382150442314f6747a4d40c4bc941d1351e86d1aa641e1667c5041e85cd0934d56330f7e6ada5

    • SSDEEP

      6144:k957WWlJmcyfwAPWna4DQFu/U3buRKlemZ9DnGAevIG6+VyJE1yR:O7WWKvhPWa4DQFu/U3buRKlemZ9DnGAN

    Score
    10/10
    neshtapersistenceransomwarespywarestealer

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks