Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 14:23

General

  • Target

    2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe

  • Size

    188KB

  • MD5

    69045be037a5cf8195966f57bb30e5c5

  • SHA1

    d4f157136a1b8f43c474b2eaf6cbe86ead68ff62

  • SHA256

    f6c31b093d8940526584290954905d42e87bd16dd88fb64a876216a4e7a3805a

  • SHA512

    dd02da0a0f0aa40324c0717848899deb8d83d48edcaf3ab021eea431764d6efeb52b7943fe04e5987dd92b7f4d8c960a9586906ad0785e78aa990f787e66b398

  • SSDEEP

    3072:sr85CDcSNm9V7DzY07RiY/JhsUogtP9bW3KVu5RTfqJogYg:k9Dc4m9tDzY079sUocPCIm1q2g

Malware Config

Extracted

Path

C:\Qoi6ifOVU.README.txt

Ransom Note
~~~ Cerber 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom EMAIL US - [email protected] >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> Your personal DECRYPTION ID: AD7936094A57E972A31368A0083A02F9 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. If you want to contact us, write in EMAIL [email protected]

Signatures

  • Detect Neshta payload 9 IoCs
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Lockbit family
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Neshta family
  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Renames multiple (365) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 30 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\ProgramData\D97D.tmp
        "C:\ProgramData\D97D.tmp"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D97D.tmp >> NUL
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\D97D.tmp >> NUL
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2648
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\CCCCCCCCCCC

      Filesize

      129B

      MD5

      493a202b027625546aae08389617a0ad

      SHA1

      43767ab7339fa1e7aacf0d0a032924c072d2b0fc

      SHA256

      ff124cf7dc243a330161a6ad4a6a326b850c21f1cde07721b8842c2216fba894

      SHA512

      5be714ab3a92f7d8fe2dba453d1c201211550feff47ac348a32ab097688b73c65e143151485d7f33c1e26ce97323b0c6afaa75c8d7edf3b9508fd84bf3434449

    • C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

      Filesize

      485KB

      MD5

      86749cd13537a694795be5d87ef7106d

      SHA1

      538030845680a8be8219618daee29e368dc1e06c

      SHA256

      8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

      SHA512

      7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

    • C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

      Filesize

      674KB

      MD5

      97510a7d9bf0811a6ea89fad85a9f3f3

      SHA1

      2ac0c49b66a92789be65580a38ae9798237711db

      SHA256

      c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

      SHA512

      2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

    • C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

      Filesize

      674KB

      MD5

      9c10a5ec52c145d340df7eafdb69c478

      SHA1

      57f3d99e41d123ad5f185fc21454367a7285db42

      SHA256

      ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

      SHA512

      2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

    • C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{61087~1\VCREDI~1.EXE

      Filesize

      495KB

      MD5

      9597098cfbc45fae685d9480d135ed13

      SHA1

      84401f03a7942a7e4fcd26e4414b227edd9b0f09

      SHA256

      45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

      SHA512

      16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

      Filesize

      547KB

      MD5

      cf6c595d3e5e9667667af096762fd9c4

      SHA1

      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

      SHA256

      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

      SHA512

      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

    • C:\Qoi6ifOVU.README.txt

      Filesize

      1KB

      MD5

      a28efdb0c5bd255529342a6319e056ad

      SHA1

      fbdf310d98fed7c1a112704641891631c9146d80

      SHA256

      c93a950fa64f444a31d8e3589625488fb5eb680eb5ae510a1961d3a2d8cec28a

      SHA512

      c5d33882a6ac472de962ee3bef290366db0eb8dd47f4c80a0d97f7a222d64c842b972c1e4df474c153f0753bafca698340657e67f867e51ddf1a0e919697bcc7

    • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe

      Filesize

      147KB

      MD5

      1d2ac566e1352e8934f62c2fcc212ca8

      SHA1

      fd15acde40a86dd0c8fbc47f22a74771d4f2f049

      SHA256

      a752c27ff76b8a4dee4748d5ac7cf57ae416ddb6acef7346ca2b2d333123699c

      SHA512

      814c409428c679c881f524d9a45f8ca000c6e9dc181314682a6db209140643642d6eaf9515f4e6d7d1f6bc2f24dc453ca96d71657dd16e47929f5dda345b1ef5

    • C:\Users\Admin\AppData\Local\Temp\3582-490\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

      Filesize

      147KB

      MD5

      8402bf8514cf035b8336d53259096918

      SHA1

      3e3c7753a660553fc6d2cf4e7d52e4f27e1bfc33

      SHA256

      4b90942bf2232098b0664041091bf6e2542355664cdad974f2852d1b19e4f2a6

      SHA512

      aad0976d6c0be06496e20cc9f1812175dea7483642b5d0f948afdf017c2e9f404dfcfdbf4471be6b499dc7f1847d9198c3dfa2793377b31010a1d322cfbda404

    • C:\Windows\svchost.com

      Filesize

      40KB

      MD5

      36fd5e09c417c767a952b4609d73a54b

      SHA1

      299399c5a2403080a5bf67fb46faec210025b36d

      SHA256

      980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

      SHA512

      1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    • F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      49db5b8d9ebff3db8c096d90d8145dc8

      SHA1

      4ada8ff162f706db399bb200e1e432cab1b7959e

      SHA256

      98cfc0ef77c98416b449ae7052ec40f0d2952fcae567d8e37cf027df1350e2d7

      SHA512

      82c103357d54182f624fe5abca0db983ab9310a6bf0ce402c9418ab0372d122a24974299767fae5d5b9271af5b4a73d8d7449c964c9f272079558a92f8d47d05

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

      Filesize

      252KB

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    • \ProgramData\D97D.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • \Users\Admin\AppData\Local\Temp\ose00000.exe

      Filesize

      145KB

      MD5

      9d10f99a6712e28f8acd5641e3a7ea6b

      SHA1

      835e982347db919a681ba12f3891f62152e50f0d

      SHA256

      70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

      SHA512

      2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

    • memory/2344-14-0x0000000000DD0000-0x0000000000E10000-memory.dmp

      Filesize

      256KB

    • memory/2480-1077-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2480-1079-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

    • memory/2868-1081-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB