Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 14:23
Behavioral task
behavioral1
Sample
2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe
-
Size
188KB
-
MD5
69045be037a5cf8195966f57bb30e5c5
-
SHA1
d4f157136a1b8f43c474b2eaf6cbe86ead68ff62
-
SHA256
f6c31b093d8940526584290954905d42e87bd16dd88fb64a876216a4e7a3805a
-
SHA512
dd02da0a0f0aa40324c0717848899deb8d83d48edcaf3ab021eea431764d6efeb52b7943fe04e5987dd92b7f4d8c960a9586906ad0785e78aa990f787e66b398
-
SSDEEP
3072:sr85CDcSNm9V7DzY07RiY/JhsUogtP9bW3KVu5RTfqJogYg:k9Dc4m9tDzY079sUocPCIm1q2g
Malware Config
Extracted
C:\Qoi6ifOVU.README.txt
Signatures
-
Detect Neshta payload 9 IoCs
resource yara_rule behavioral1/files/0x0001000000010314-13.dat family_neshta behavioral1/files/0x000700000001926b-1016.dat family_neshta behavioral1/files/0x0004000000005725-1048.dat family_neshta behavioral1/files/0x000300000000e6f5-1047.dat family_neshta behavioral1/files/0x0003000000005ab6-1046.dat family_neshta behavioral1/files/0x00050000000055df-1045.dat family_neshta behavioral1/memory/2480-1077-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2868-1081-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2480-1079-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Lockbit family
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000001924c-9.dat family_lockbit -
Renames multiple (365) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 3 IoCs
pid Process 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2756 D97D.tmp 2868 svchost.com -
Loads dropped DLL 30 IoCs
pid Process 2480 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2480 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2480 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com 2868 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Qoi6ifOVU.bmp" 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Qoi6ifOVU.bmp" 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2756 D97D.tmp -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe svchost.com File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe svchost.com -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D97D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\WallpaperStyle = "10" 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Qoi6ifOVU\DefaultIcon\ = "C:\\ProgramData\\Qoi6ifOVU.ico" 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Qoi6ifOVU 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Qoi6ifOVU\ = "Qoi6ifOVU" 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Qoi6ifOVU\DefaultIcon 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Qoi6ifOVU 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeDebugPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: 36 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeImpersonatePrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeIncBasePriorityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeIncreaseQuotaPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: 33 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeManageVolumePrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeProfSingleProcessPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeRestorePrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSystemProfilePrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeTakeOwnershipPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeShutdownPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeDebugPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeBackupPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe Token: SeSecurityPrivilege 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2344 2480 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 30 PID 2480 wrote to memory of 2344 2480 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 30 PID 2480 wrote to memory of 2344 2480 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 30 PID 2480 wrote to memory of 2344 2480 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 30 PID 2344 wrote to memory of 2756 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 34 PID 2344 wrote to memory of 2756 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 34 PID 2344 wrote to memory of 2756 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 34 PID 2344 wrote to memory of 2756 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 34 PID 2344 wrote to memory of 2756 2344 2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe 34 PID 2756 wrote to memory of 2868 2756 D97D.tmp 35 PID 2756 wrote to memory of 2868 2756 D97D.tmp 35 PID 2756 wrote to memory of 2868 2756 D97D.tmp 35 PID 2756 wrote to memory of 2868 2756 D97D.tmp 35 PID 2868 wrote to memory of 2648 2868 svchost.com 36 PID 2868 wrote to memory of 2648 2868 svchost.com 36 PID 2868 wrote to memory of 2648 2868 svchost.com 36 PID 2868 wrote to memory of 2648 2868 svchost.com 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\ProgramData\D97D.tmp"C:\ProgramData\D97D.tmp"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D97D.tmp >> NUL4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\D97D.tmp >> NUL5⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5493a202b027625546aae08389617a0ad
SHA143767ab7339fa1e7aacf0d0a032924c072d2b0fc
SHA256ff124cf7dc243a330161a6ad4a6a326b850c21f1cde07721b8842c2216fba894
SHA5125be714ab3a92f7d8fe2dba453d1c201211550feff47ac348a32ab097688b73c65e143151485d7f33c1e26ce97323b0c6afaa75c8d7edf3b9508fd84bf3434449
-
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize674KB
MD597510a7d9bf0811a6ea89fad85a9f3f3
SHA12ac0c49b66a92789be65580a38ae9798237711db
SHA256c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA5122a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb
-
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize495KB
MD59597098cfbc45fae685d9480d135ed13
SHA184401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA25645966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA51216afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164
-
Filesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
Filesize
1KB
MD5a28efdb0c5bd255529342a6319e056ad
SHA1fbdf310d98fed7c1a112704641891631c9146d80
SHA256c93a950fa64f444a31d8e3589625488fb5eb680eb5ae510a1961d3a2d8cec28a
SHA512c5d33882a6ac472de962ee3bef290366db0eb8dd47f4c80a0d97f7a222d64c842b972c1e4df474c153f0753bafca698340657e67f867e51ddf1a0e919697bcc7
-
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-12-18_69045be037a5cf8195966f57bb30e5c5_darkside_neshta.exe
Filesize147KB
MD51d2ac566e1352e8934f62c2fcc212ca8
SHA1fd15acde40a86dd0c8fbc47f22a74771d4f2f049
SHA256a752c27ff76b8a4dee4748d5ac7cf57ae416ddb6acef7346ca2b2d333123699c
SHA512814c409428c679c881f524d9a45f8ca000c6e9dc181314682a6db209140643642d6eaf9515f4e6d7d1f6bc2f24dc453ca96d71657dd16e47929f5dda345b1ef5
-
C:\Users\Admin\AppData\Local\Temp\3582-490\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Filesize147KB
MD58402bf8514cf035b8336d53259096918
SHA13e3c7753a660553fc6d2cf4e7d52e4f27e1bfc33
SHA2564b90942bf2232098b0664041091bf6e2542355664cdad974f2852d1b19e4f2a6
SHA512aad0976d6c0be06496e20cc9f1812175dea7483642b5d0f948afdf017c2e9f404dfcfdbf4471be6b499dc7f1847d9198c3dfa2793377b31010a1d322cfbda404
-
Filesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
Filesize
129B
MD549db5b8d9ebff3db8c096d90d8145dc8
SHA14ada8ff162f706db399bb200e1e432cab1b7959e
SHA25698cfc0ef77c98416b449ae7052ec40f0d2952fcae567d8e37cf027df1350e2d7
SHA51282c103357d54182f624fe5abca0db983ab9310a6bf0ce402c9418ab0372d122a24974299767fae5d5b9271af5b4a73d8d7449c964c9f272079558a92f8d47d05
-
Filesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
145KB
MD59d10f99a6712e28f8acd5641e3a7ea6b
SHA1835e982347db919a681ba12f3891f62152e50f0d
SHA25670964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA5122141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5