Overview

overview

10

Static

static

10

_$RHB6IUX.exe

windows7-x64

10

_$RHB6IUX.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    _$RHB6IUX

  • Size

    221KB

  • Sample

    250113-nest3szmh1

  • MD5

    8288e3c2e95bc91e8594c8e23cab5a12

  • SHA1

    ee18b73b5584050165d63d607d4f6948cc6bf490

  • SHA256

    7c5fd9a2e93ad94d0b9edbb3921459c102de60e1af2fd0339c4777289fb305d8

  • SHA512

    718d90baeeb7ea290a3956d03f1e23a304c7d4e3838538adc85c1e50ebc68239de3fa4b137e0d72350436b509fbda2380540b0b7cea2ec517efe89b6cdf85df6

  • SSDEEP

    6144:k9lyzjvbzNdX5EWITq2UCNBGgaoSbR5U7rwN02X:l/FdXFf2UKBGgaoSVxXX

Score
10/10
neshtacredential_accessdiscoveryevasionpersistenceprivilege_escalationransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ink\es-ES\readme_for_unlock.txt

Ransom Note
!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://ssl7iq25hyqyhjqtja3et5om3dczfh3khpvzkj7undaryzem2ks7akid.onion > Login: CLIENT > Password: WRxJXQYE5cPb4WPlqJXt If Tor is restricted in your area, use VPN�����������������������������������
URLs

https://gdpr-info.eu/

http://ssl7iq25hyqyhjqtja3et5om3dczfh3khpvzkj7undaryzem2ks7akid.onion

Targets

    • Target

      _$RHB6IUX

    • Size

      221KB

    • MD5

      8288e3c2e95bc91e8594c8e23cab5a12

    • SHA1

      ee18b73b5584050165d63d607d4f6948cc6bf490

    • SHA256

      7c5fd9a2e93ad94d0b9edbb3921459c102de60e1af2fd0339c4777289fb305d8

    • SHA512

      718d90baeeb7ea290a3956d03f1e23a304c7d4e3838538adc85c1e50ebc68239de3fa4b137e0d72350436b509fbda2380540b0b7cea2ec517efe89b6cdf85df6

    • SSDEEP

      6144:k9lyzjvbzNdX5EWITq2UCNBGgaoSbR5U7rwN02X:l/FdXFf2UKBGgaoSVxXX

    Score
    10/10
    neshtadiscoverypersistencespywarestealerupxcredential_accessevasionprivilege_escalationransomware

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Renames multiple (8119) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks