Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 10:34

General

  • Target

    2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe

  • Size

    197KB

  • MD5

    5d65d61b82de6b9dcdb67a30cae300cd

  • SHA1

    e32500c38d39665f5af7860b6bf3b06af3f9c300

  • SHA256

    a0e6a9fec2e7ed51bf36286e416deaec40e6bae8174e8c3fb3c1996fa7ef81ed

  • SHA512

    f3fa41d0ba991dfa1f23c1ade289201adce06bae9a0495efee15afb3d17f06c9fde43d1fd63e580f8c7abd7cab333a041cb8c502d351ab85aa21196ca76b59d5

  • SSDEEP

    3072:sr85CykgZqltP33686plZG1kqxSb6WpDDDDDDDDDDDDDDDDDDDE45d/t6sq:k9pgZqll32rZ2txSb35d/zq

Malware Config

Extracted

Path

C:\Users\O957g99QW.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: 27E1278B16C094FD6534BB3C4818C199 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Detect Neshta payload 13 IoCs
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Renames multiple (140) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\ProgramData\F076.tmp
        "C:\ProgramData\F076.tmp"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1744
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3120
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\LLLLLLLLLLL

      Filesize

      129B

      MD5

      ff2498f29ace334a0f1b0363329c98ab

      SHA1

      55b936414b4129d0b3d34ce3431e48fc4bf44067

      SHA256

      b8ae4e3bf4e920e62af051fe6910e204b59223becdb5dc97af6e347dcab53a48

      SHA512

      4bfd1deb5039115fe23eb1f334d539f8a5f8bc15de3b2f270d85afad73435ce6ad7df398dda967bde3c4cc1b1a31830637dc9fa2f0683bc55e00b04c2fec68c8

    • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

      Filesize

      2.4MB

      MD5

      8ffc3bdf4a1903d9e28b99d1643fc9c7

      SHA1

      919ba8594db0ae245a8abd80f9f3698826fc6fe5

      SHA256

      8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

      SHA512

      0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

    • C:\ProgramData\F076.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe

      Filesize

      156KB

      MD5

      75e3d908fdddee413481dba88258783b

      SHA1

      4cd6c1a88f3575d298aa168356651d5237bb72ab

      SHA256

      36aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4

      SHA512

      d7c1e0bd3eb3888579ef696ea48ae4d83d70f08b3bafb23288a81ed40e1501513e2739af119c4a0f9d788f7aa4a6500df80260151a8eeeb7f6fe19fc5cf34256

    • C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      156KB

      MD5

      036b7458049043791575654e1b4b2f05

      SHA1

      e9a329378fc5939cb584429272aa418cbce5d281

      SHA256

      ffa3cd3d5603affc3d7484bf8e05c8897d92b5fa087f481c6314ee854e088525

      SHA512

      811a4303285c6df96e9e4c2ea0d1772ba9a435bbfd3919c2b03afa9024672aa55379ffc5f7f5406eaebf7d85b98f47f155ad6f0880a70a69e9296edd8644f98c

    • C:\Users\O957g99QW.README.txt

      Filesize

      3KB

      MD5

      af6c2fc04d6fb6eb424e08d4b45ce3b5

      SHA1

      fe7d78642acd874590ef935ccde60c589a27cc69

      SHA256

      9dac1c01e8c041a14aafe45131d333ec5761a1525eb5d0d4d15e19ff2431ca0e

      SHA512

      0a93f792be449b5f90c1deac8bcd461cf591c87bd05e339f1d465a19b9474a4002b02755afb14023d1eb4f2c531328a3674a5a1a09af654c2ae8c96de393b7ec

    • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      be08733292f2b9a788823d67a076c1a1

      SHA1

      7cc863c695e4ce3bafc9ec87cbce0a8936f9e248

      SHA256

      3dfe1565de901139bb1761ae9a342f3e27c898c27cb2186daaa69a0a39c9a4aa

      SHA512

      53a7d455ae1f7d87b9e0cee06b378d48f3b0a99bd1652943df8648ab7e83c30dce9327e5f5f9ea333f5071ac87301eb90d5254d670dcb5a59fc4d85fb056cde5

    • memory/1744-458-0x00000000026F0000-0x0000000002700000-memory.dmp

      Filesize

      64KB

    • memory/1744-426-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

      Filesize

      4KB

    • memory/1744-425-0x000000007FE20000-0x000000007FE21000-memory.dmp

      Filesize

      4KB

    • memory/1744-424-0x00000000026F0000-0x0000000002700000-memory.dmp

      Filesize

      64KB

    • memory/1744-423-0x00000000026F0000-0x0000000002700000-memory.dmp

      Filesize

      64KB

    • memory/1744-422-0x000000007FE40000-0x000000007FE41000-memory.dmp

      Filesize

      4KB

    • memory/1744-459-0x00000000026F0000-0x0000000002700000-memory.dmp

      Filesize

      64KB

    • memory/2600-416-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-457-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-1-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-308-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-463-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-462-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-461-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-304-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-239-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-352-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-455-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2600-456-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/4592-13-0x00000000024B0000-0x00000000024C0000-memory.dmp

      Filesize

      64KB

    • memory/4592-12-0x00000000024B0000-0x00000000024C0000-memory.dmp

      Filesize

      64KB

    • memory/4592-11-0x00000000024B0000-0x00000000024C0000-memory.dmp

      Filesize

      64KB

    • memory/4592-305-0x00000000024B0000-0x00000000024C0000-memory.dmp

      Filesize

      64KB

    • memory/4592-306-0x00000000024B0000-0x00000000024C0000-memory.dmp

      Filesize

      64KB

    • memory/4592-307-0x00000000024B0000-0x00000000024C0000-memory.dmp

      Filesize

      64KB