neshta | fcc12388b7ae16efd8157df3fe8fd56ffaf913845ff1d603af7f1ef3b2e09627

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
Size

382KB
MD5

4d5d9411e1b8ca44b771f13e2de2219b
SHA1

903d2cd37ede4563ed81d256e9ee6068ec70a63a
SHA256

fcc12388b7ae16efd8157df3fe8fd56ffaf913845ff1d603af7f1ef3b2e09627
SHA512

725f64b0d2b8e4284a3422ff3a66aef1084cdfa4572ec79ec3cb300fc8f51113fda57bd8425ea699bea8fe01b88b7bf4801f04550050eae0502a18ce553c1bf7
SSDEEP

6144:Txabm6ij2JyQHHwIJOFYhs+gZ8XybnWJ/gIF+lmLrvGW4:NWJyQHHwIJOqhILkYIOovGW4

Score

10^/10

neshta sodinokibi persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2264-5-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2264-4-0x0000000004EE0000-0x0000000004EEC000-memory.dmp	family_neshta
behavioral2/memory/2264-105-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi/Revil sample 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe family_sodinokobi

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe	family_sodinokobi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

Executes dropped EXE 1 IoCs

Processes:

2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

pid process

1936 2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

pid	process
1936	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~3.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI9C33~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~4.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~2.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.29\MICROS~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MICROS~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MI391D~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.29\MIA062~1.EXE	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

description ioc process

File opened for modification C:\Windows\svchost.com 2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1384	1936	WerFault.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
4712	2264	WerFault.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

Modifies registry class 1 IoCs

Processes:

2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

description	pid	process	target process
PID 2264 wrote to memory of 1936	2264	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
PID 2264 wrote to memory of 1936	2264	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
PID 2264 wrote to memory of 1936	2264	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe	2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe"
2⤵
- Executes dropped EXE
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 224
3⤵
- Program crash
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1092
2⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1936 -ip 1936
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2264 -ip 2264
1⤵
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
Filesize
86KB

MD5
a52b5790c7d8170f21ad6c1377fd46d4

SHA1
13baa64c26495b950a0d75f48dd69f48994f65df

SHA256
f044f31fd69157dc978bfbeb02a4fce467993911e90df9d1f692be7a903cab3e

SHA512
13040f92f3419ea8afd7c64464fe680dc8980593b7bc2e8afabc636aae83b1bd18a852d2e2e6d7e82eca49e8e5aa56936d5d657b0c0c0e4f62329c32a99fc773

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2024-06-11_4d5d9411e1b8ca44b771f13e2de2219b_revil_sodinokibi.exe
Filesize
341KB

MD5
992cd1673799f097e9243a53a31042cf

SHA1
726ee50b054d3027f28e8c2b0621f44c1a91b045

SHA256
6b1dd384ada65b6239eb0a22f00343eb6939e379e5ab07fe95b80fcc524db73d

SHA512
d27358619850bc0e4726c3fd05914cedd34f6698d5b34edf7e6a55dd6b5052454020e456d31a2963e8f064a9f799be6ca770e37606e94fa67cc6f4083591fa79

Download Submit
memory/2264-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-4-0x0000000004EE0000-0x0000000004EEC000-memory.dmp

Filesize
48KB

Download
memory/2264-3-0x0000000004FD0000-0x00000000050D0000-memory.dmp

Filesize
1024KB

Download
memory/2264-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download