Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 10:34
Behavioral task
behavioral1
Sample
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
-
Size
197KB
-
MD5
5d65d61b82de6b9dcdb67a30cae300cd
-
SHA1
e32500c38d39665f5af7860b6bf3b06af3f9c300
-
SHA256
a0e6a9fec2e7ed51bf36286e416deaec40e6bae8174e8c3fb3c1996fa7ef81ed
-
SHA512
f3fa41d0ba991dfa1f23c1ade289201adce06bae9a0495efee15afb3d17f06c9fde43d1fd63e580f8c7abd7cab333a041cb8c502d351ab85aa21196ca76b59d5
-
SSDEEP
3072:sr85CykgZqltP33686plZG1kqxSb6WpDDDDDDDDDDDDDDDDDDDE45d/t6sq:k9pgZqll32rZ2txSb35d/zq
Malware Config
Extracted
C:\Users\O957g99QW.README.txt
http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/
http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/
http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/
http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/
http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/
http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/
http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/
https://twitter.com/hashtag/lockbit?f=live
http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
Signatures
-
Detect Neshta payload 13 IoCs
Processes:
resource yara_rule behavioral2/memory/2600-1-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-239-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-304-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-308-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta behavioral2/memory/2600-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-416-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-455-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-456-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-457-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-461-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-462-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2600-463-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe family_lockbit -
Renames multiple (140) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Executes dropped EXE 2 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exeF076.tmppid process 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 1744 F076.tmp -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\O957g99QW.bmp" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\O957g99QW.bmp" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exeF076.tmppid process 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 1744 F076.tmp 1744 F076.tmp 1744 F076.tmp 1744 F076.tmp 1744 F076.tmp 1744 F076.tmp -
Drops file in Program Files directory 64 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_pwa_launcher.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Drops file in Windows directory 1 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process File opened for modification C:\Windows\svchost.com 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Modifies registry class 6 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\O957g99QW\DefaultIcon\ = "C:\\ProgramData\\O957g99QW.ico" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.O957g99QW\ = "O957g99QW" 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exepid process 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeDebugPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: 36 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeImpersonatePrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeIncBasePriorityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeIncreaseQuotaPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: 33 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeManageVolumePrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeProfSingleProcessPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeRestorePrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSystemProfilePrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeTakeOwnershipPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeShutdownPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeDebugPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 3120 vssvc.exe Token: SeRestorePrivilege 3120 vssvc.exe Token: SeAuditPrivilege 3120 vssvc.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeSecurityPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe Token: SeBackupPrivilege 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exedescription pid process target process PID 2600 wrote to memory of 4592 2600 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe PID 2600 wrote to memory of 4592 2600 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe PID 2600 wrote to memory of 4592 2600 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe PID 4592 wrote to memory of 1744 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe F076.tmp PID 4592 wrote to memory of 1744 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe F076.tmp PID 4592 wrote to memory of 1744 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe F076.tmp PID 4592 wrote to memory of 1744 4592 2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe F076.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\ProgramData\F076.tmp"C:\ProgramData\F076.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1744
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5ff2498f29ace334a0f1b0363329c98ab
SHA155b936414b4129d0b3d34ce3431e48fc4bf44067
SHA256b8ae4e3bf4e920e62af051fe6910e204b59223becdb5dc97af6e347dcab53a48
SHA5124bfd1deb5039115fe23eb1f334d539f8a5f8bc15de3b2f270d85afad73435ce6ad7df398dda967bde3c4cc1b1a31830637dc9fa2f0683bc55e00b04c2fec68c8
-
Filesize
2.4MB
MD58ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA2568268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA5120b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-03-12_5d65d61b82de6b9dcdb67a30cae300cd_darkside_neshta.exe
Filesize156KB
MD575e3d908fdddee413481dba88258783b
SHA14cd6c1a88f3575d298aa168356651d5237bb72ab
SHA25636aae3ba1a6fd78e040bba4522f6c15d5a3627ae78b27ff6879ee64d038445a4
SHA512d7c1e0bd3eb3888579ef696ea48ae4d83d70f08b3bafb23288a81ed40e1501513e2739af119c4a0f9d788f7aa4a6500df80260151a8eeeb7f6fe19fc5cf34256
-
C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize156KB
MD5036b7458049043791575654e1b4b2f05
SHA1e9a329378fc5939cb584429272aa418cbce5d281
SHA256ffa3cd3d5603affc3d7484bf8e05c8897d92b5fa087f481c6314ee854e088525
SHA512811a4303285c6df96e9e4c2ea0d1772ba9a435bbfd3919c2b03afa9024672aa55379ffc5f7f5406eaebf7d85b98f47f155ad6f0880a70a69e9296edd8644f98c
-
Filesize
3KB
MD5af6c2fc04d6fb6eb424e08d4b45ce3b5
SHA1fe7d78642acd874590ef935ccde60c589a27cc69
SHA2569dac1c01e8c041a14aafe45131d333ec5761a1525eb5d0d4d15e19ff2431ca0e
SHA5120a93f792be449b5f90c1deac8bcd461cf591c87bd05e339f1d465a19b9474a4002b02755afb14023d1eb4f2c531328a3674a5a1a09af654c2ae8c96de393b7ec
-
Filesize
129B
MD5be08733292f2b9a788823d67a076c1a1
SHA17cc863c695e4ce3bafc9ec87cbce0a8936f9e248
SHA2563dfe1565de901139bb1761ae9a342f3e27c898c27cb2186daaa69a0a39c9a4aa
SHA51253a7d455ae1f7d87b9e0cee06b378d48f3b0a99bd1652943df8648ab7e83c30dce9327e5f5f9ea333f5071ac87301eb90d5254d670dcb5a59fc4d85fb056cde5