Overview

overview

10

Static

static

10

2024-03-06...il.exe

windows7-x64

10

2024-03-06...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-03-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-06_41daca921d5f2128ccec2e79140627d2_neshta_revil.exe

  • Size

    207KB

  • MD5

    41daca921d5f2128ccec2e79140627d2

  • SHA1

    20f6dda39b1e6a82a7ec62b533f740af7c14fc51

  • SHA256

    a50149e4dc2ba462591cf3bc8cc588fe46d772dec69757727880b5dc312662ae

  • SHA512

    c16d04d93a95168f00086f57208c0086d3ab1d60df2b054b103902d3263051d6e80e65ebec5733ca6b14b7f5edba7d587e74514df987ddb8d52c643ffd9573fe

  • SSDEEP

    3072:Ur8lmryy2RjLTuVyu7CJDgoMT3QPWYFQxLt79LFrb30BRtBZZg+i2v:Mt2y2RsQJ8zgPWSwxJ0BXScv

Score
10/10
neshtasodinokibi$2a$10$eexbkjbosgx7rhv9nzhif.mbiht5kcvbthgjgld4p5bskezrqeck.1428persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$EexBKJboSGx7rhv9nZHif.Mbiht5KcVBTHgjgLd4P5BsKEZrqEcK.

Campaign

1428

Decoy

architekturbuero-wagner.net

socialonemedia.com

nuzech.com

kafu.ch

mediaacademy-iraq.org

pocket-opera.de

katiekerr.co.uk

bodyforwife.com

commercialboatbuilding.com

naturalrapids.com

mapawood.com

fiscalsort.com

baylegacy.com

koko-nora.dk

markelbroch.com

hexcreatives.co

kamienny-dywan24.pl

shsthepapercut.com

destinationclients.fr

shonacox.com
Attributes
  • net

    true

  • pid

    $2a$10$EexBKJboSGx7rhv9nZHif.Mbiht5KcVBTHgjgLd4P5BsKEZrqEcK.

  • prc

    mydesktopqos

    thebat64

    encsvc

    powerpnt

    thebat

    mydesktopservice

    outlook

    msaccess

    ocautoupds

    excel

    msftesql

    infopath

    xfssvccon

    thunderbird

    visio

    steam

    winword

    mysqld_opt

    sqlagent

    sqbcoreservice

    firefoxconfig

    tbirdconfig

    wordpad

    mysqld_nt

    mspub

    ocssd

    onenote

    dbeng50

    dbsnmp

    sqlservr

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    svc$

    sophos

    memtas

    backup

    veeam

    vss

    mepocs

    sql

Extracted

Path

C:\Users\3w6v5q-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 3w6v5q. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BF526BEDCB89A20D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/BF526BEDCB89A20D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: akyUf9eNAKmYcggd8rUuwYtXgC+kTX6Epwqde7a2HgE1BbFpbj7KnEVvyyxjojgI pLsnWZ2x8/jRu1ueyzgkmnULzwUIqdgaD9NG5J51javpZwGAq5ZIV33MJz6D9dwj bYBDGQAPIkF4dy8Qcpk9ovfS004gsVIWJVCKYVn/3gfatl9mtBVqWuZnHC0YjZTf nZye3avTeoHvhcSKvHZvvV6uS2qJKkOup67aW8JtIyrjczQf+hxwIxlBno8ENsH9 hhFVk38FJEn1Q3fZfsALGJB3NIpgNd325MslhhmuYAogILNsEvCEq9sMqx4VE1eX AfwE4DwWdOnTnu6ZgySJppexr5EMeff6ywzoLHw7WmWmnqCwfpQfkarzn/6cBjm7 Gdo4EN7eNf4555xmrhLR0BNMn+BUux/YyBe+QWThKgIosmYSRwPzwwLK6MNKtT4s OW1gsSdLVZ7WhSN9dgKNi6KHbdq/nw/ekJz6dxD6l1jKwZw2taQ4bQci3GsaWZ+T smXp1Eeox/qNyAo/++aLoi7I3heG9pCxTdrZFlRMvUzfFtNClM0qyAC4lRwYks7B 5gJr8rW6zdx+uZ5pB6d2jk+OH1bwR6jBK5ZWlnzg2ETimNQTps2lbtCJVeU27xbi XJD3MWEItO+hj3ppOveQ1xEc5ICPAiHs4DR1ZGsZzRJi5kBWaR1L+gmUC0WDohFq kCpmeZk0O4vnwbIGFwbldDW59tuU6JD1DuxF30qdCi/FGvlg4y8JxhzC+ll1CrUx bnVEfJXay6VpaBS+IyEY5i72DRTFspHA99JfopMF4DKD8x9O/aQyjVRhE0X1Au4y 3OGg+2u6s9JMsy4unLBNZGpx/4wT9mG8QlKR4F76ZBwFhaHk50t1ihDrRb8G1Tsn 9WMJ0vx5Z0z9BxaKZlakP8WOglLCcGtABEBNKwNvhSzleojpKCO+mg2ivZwkBndL Y5AqpmrX1odS5kSAhgjauLxI3rDRZUkmeKkxZjXFXmJyCo4sXKnozwYtPZJlKo16 ALjH0nEmmQAhGQesf8yPd0Zto08xpI7Epc/Br1rl1G1k/YgBL1/y4HXAtwxySWdk U6fZxQlbMO+z5oco46heLoHqmOhcWChOWDRhGSenwvNMijaCjhQrToir3QiskRUk xmflErJEAbBnQHF6/ymenfpu0rhENKCQe63tc9hitLgs1s750anIr6K5R8EzSe5y x4fZBvD861IZuAt2ruiJJEJfQwv1it+kbKi0UbnVNh8b9vxhR8GI8cDo849Bt0IM ENALSZhalgNAkHVopLQ+Rs/W4nGjvsn+/mWOkjvRm+zLtfJ0OgWFkmaUdsQ4rjn0 ypUXXXoow+ogbaphhjmfQgHCUuxBXthauBJWc4bG12Y= Extension name: 3w6v5q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BF526BEDCB89A20D

http://decryptor.cc/BF526BEDCB89A20D

Signatures

  • Detect Neshta payload 6 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-06_41daca921d5f2128ccec2e79140627d2_neshta_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-06_41daca921d5f2128ccec2e79140627d2_neshta_revil.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-06_41daca921d5f2128ccec2e79140627d2_neshta_revil.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-06_41daca921d5f2128ccec2e79140627d2_neshta_revil.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2436
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Change Default File Association

    1
    T1546.001

    Defense Evasion

    Modify Registry

    4
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
      Filesize

      547KB

      MD5

      2229e8d5cdc7ad9b5e84ce366fd527b2

      SHA1

      736460d41892167b892d6426a5fd1196b9d5cb05

      SHA256

      c0cc8340991a3b48fbd169604a36fd88ef4056f1db10a929bdc0cfdd5123a098

      SHA512

      a4d482f1e3a442d0adab865ac26cfe08ef2b368f2cbb82fd1374ab5d7a93afffc122f28c9c357dd902d857f6c599b9e0e3108ca68dc08064f4737e8c4280991f

      Download Submit

    • C:\Users\3w6v5q-readme.txt
      Filesize

      6KB

      MD5

      5d6c79495179a4233dfcba2e7ead314c

      SHA1

      fba5027a094acf95801d621657192005bb181689

      SHA256

      d4a7b1d57803eac66fccf234502aa832e0c7f97e136bf29a28de40ff21e323ea

      SHA512

      4f5a2993744a257b71afcef44edd67b8517ffd0dd14a78c2456119c3f32de127661e6e6a31f8c882d68d81a46de92c151ea263179190fe5e32b2cc50bf900bec

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA1BD.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarA35A.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit

    • C:\Windows\System32\catroot2\dberr.txt
      Filesize

      192KB

      MD5

      dd859ebfb9f732f599b44f267d7fb71f

      SHA1

      c5a0d41695c1276c2f68ea01e1e2a0149b348186

      SHA256

      d2f6b14f0f37c2756ebbbfa2efe4f85b03d2a838254d279f90ac1772f2ffecc3

      SHA512

      de078bb3013458a0c22840e558a4e7b828133d24c6dfc24e754774e9da2d339ad48ff1ab88312b1aced3a977efe794efff81a42ae808d21c5b651c109add11a8

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\2024-03-06_41daca921d5f2128ccec2e79140627d2_neshta_revil.exe
      Filesize

      166KB

      MD5

      72e82c3418eefd708ef7887848278760

      SHA1

      cda4b494105853375379ae9009152a274e8880b2

      SHA256

      29ad3ad31948e4a58d4a6402b5dccdd5bfa384b996fb7ff94b7f4be29929b05e

      SHA512

      5041aaf1e8246933a1df0b34bb8772b7d7573a6767c29f728addabb89c5800701e552f5794f3e109cb9fb7b95190e2f96c115bbc9dcb86942bfa7bd56d3b5e5c

      Download Submit

    • memory/2872-51-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2872-61-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2872-97-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2872-60-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2872-52-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2872-58-0x0000000002850000-0x00000000028D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2872-50-0x0000000002590000-0x0000000002598000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2872-49-0x000000001B140000-0x000000001B422000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2936-569-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2936-574-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2936-656-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2936-704-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2936-706-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download