Overview

overview

10

Static

static

10

f35316c360...63.exe

windows7_x64

10

f35316c360...63.exe

windows10_x64

10

Analysis

  • max time kernel
    192s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f35316c3604c6f515d33999724e6b75db0e3c958f653c1af7c2f8e75aea35e63.exe

  • Size

    207KB

  • MD5

    1c451710fcd855220a55ee7531c1db8b

  • SHA1

    64c5e509b899b37a2107384cb86ffbd42c9a559c

  • SHA256

    f35316c3604c6f515d33999724e6b75db0e3c958f653c1af7c2f8e75aea35e63

  • SHA512

    aa778286fe7773e080b9933b0cf8a887585484112189ddd1ce7583a2773b818d4e72527ee55f5b60436eb29028785c1ffaa081e627891ed4c848c31d773521e0

Score
10/10
neshtasodinokibi$2a$10$eexbkjbosgx7rhv9nzhif.mbiht5kcvbthgjgld4p5bskezrqeck.1428persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\t2w9uj-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion t2w9uj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CB5B94B5361BFB19 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/CB5B94B5361BFB19 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: PM1lJ+uxqzUZKF/ODAX50O/oh97CTRJ+cf8rBeKf13yuD3SDKai7jh/1gS6rGj5E FIw1KjXkuP9R2F6bFjfhfFOm9e8FeAjypLkKfgUhgT2teqbuZpc8nPc3mO8Ojnuc qliyuhhtzxwRFIx4GRu2+IW2caTM1nd3TUanYnvx0S71kZXGxn8gyX2aYha7eeYO kKPCjAFa2sQrPUmQW4FzxjVrm34YZQX5q6cM5unJrOC1uB1SaKIqDjOgg7bWI/3F TiH6tkYHVsR//Hl9tN2uY/sEUdfTbebZlerAhsaEW39rH2UPXwNMToaLF8rHDC4z kT33uGIrA6xtRkw2RcClrxJJipBQI2MQPMSZhMh716x+Ku4YPUw7ntQL8Rl05kPR vHgd6/8clJosbLO4xt1344ILwk3CZGI1kaZqKkgdz2ttRmxyjGm+i+xk8Rqq0dHp YBvn96BaT9bBewJzJHERnEj72yB7NIrw4Vv/E1R+Vl/wsi0MEHyNSLxhfY5Yz3zn O104jMdGuJtpK33AvpuqwWFRzwUHl+xMabLJN4m02tZ87taxiB/Gu1SUcYcTaSbF Sm9pjIbuXwd5GfdIohXvLZ+UCRXYcKRqL+5cFq9Cd4iV2UjvgHvIEZdYkFKksPqc EwOBFCd0RrZzaiOuBEj5PBUhdotmcdZBE1szzl5R0cvJBC7KWZtI1piHc6wSPyJF kNXXkE4EFA0mU6A2T0HeLT4oRyRqAcfyOuRoicrX/CUduxokLxg7MqQIT96AZISN /vIUf3ZZIiJNeeN/pgswN+vvvDFJsPoOZb6k/oG39+cqLopQkLT/31/+elsBciaf Faa7Jjbkh/rjEwlzIuTtluU7NxthrUzkjxpeTaFi+7HTI4EqvCKkL7TAl74N9IE9 KtplCSQak3SgJwLDt1Kt17KgQhqpLlRVb4g55+BjkUkKIzwlAnpYLe6wR2Y8eubd qNYMvix5NZR6PJp/6WhnpN5OCd/vVBgsznEyY6HTPq36ZH2WuXlSpxlYOYv5sf/f JwqaicPdBrYvRgc/xQejr61Fkj1BWlH6hY2TKfNP4KbXEunB+9lEHXKGRheYdahe KrG6Qfdr45rq66JHPPnbM6n8nvkIn2EwFKXJye7P/Aq6qUJVkOFJBnpQr8k/4Fq7 phTO7LXQOAuSaeMoRHzeXL1BqUucqLdpyTMpc3B7V7qt0m+gE5X/8B+Uyxv5SSN3 iwJN7NjUeFb77GPyrDI8Lt8gbJrpMvri0NTl441Ni/6fH5/IUJEatURCGlhjOYgV tvrFZCnoHrd5mqVzFMMEog== Extension name: t2w9uj ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CB5B94B5361BFB19

http://decryptor.cc/CB5B94B5361BFB19

Extracted

Family

sodinokibi

Botnet

$2a$10$EexBKJboSGx7rhv9nZHif.Mbiht5KcVBTHgjgLd4P5BsKEZrqEcK.

Campaign

1428

C2

architekturbuero-wagner.net

socialonemedia.com

nuzech.com

kafu.ch

mediaacademy-iraq.org

pocket-opera.de

katiekerr.co.uk

bodyforwife.com

commercialboatbuilding.com

naturalrapids.com

mapawood.com

fiscalsort.com

baylegacy.com

koko-nora.dk

markelbroch.com

hexcreatives.co

kamienny-dywan24.pl

shsthepapercut.com

destinationclients.fr

shonacox.com
Attributes
  • net

    true

  • pid

    $2a$10$EexBKJboSGx7rhv9nZHif.Mbiht5KcVBTHgjgLd4P5BsKEZrqEcK.

  • prc

    mydesktopqos

    thebat64

    encsvc

    powerpnt

    thebat

    mydesktopservice

    outlook

    msaccess

    ocautoupds

    excel

    msftesql

    infopath

    xfssvccon

    thunderbird

    visio

    steam

    winword

    mysqld_opt

    sqlagent

    sqbcoreservice

    firefoxconfig

    tbirdconfig

    wordpad

    mysqld_nt

    mspub

    ocssd

    onenote

    dbeng50

    dbsnmp

    sqlservr

    sqlwriter

    oracle

    sqlbrowser

    synctime

    agntsvc

    isqlplussvc

    ocomm

    mysqld

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    svc$

    sophos

    memtas

    backup

    veeam

    vss

    mepocs

    sql

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f35316c3604c6f515d33999724e6b75db0e3c958f653c1af7c2f8e75aea35e63.exe
    "C:\Users\Admin\AppData\Local\Temp\f35316c3604c6f515d33999724e6b75db0e3c958f653c1af7c2f8e75aea35e63.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:504
    • C:\Users\Admin\AppData\Local\Temp\3582-490\f35316c3604c6f515d33999724e6b75db0e3c958f653c1af7c2f8e75aea35e63.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\f35316c3604c6f515d33999724e6b75db0e3c958f653c1af7c2f8e75aea35e63.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:800
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:420
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1388

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\f35316c3604c6f515d33999724e6b75db0e3c958f653c1af7c2f8e75aea35e63.exe
      MD5

      72e82c3418eefd708ef7887848278760

      SHA1

      cda4b494105853375379ae9009152a274e8880b2

      SHA256

      29ad3ad31948e4a58d4a6402b5dccdd5bfa384b996fb7ff94b7f4be29929b05e

      SHA512

      5041aaf1e8246933a1df0b34bb8772b7d7573a6767c29f728addabb89c5800701e552f5794f3e109cb9fb7b95190e2f96c115bbc9dcb86942bfa7bd56d3b5e5c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\f35316c3604c6f515d33999724e6b75db0e3c958f653c1af7c2f8e75aea35e63.exe
      MD5

      72e82c3418eefd708ef7887848278760

      SHA1

      cda4b494105853375379ae9009152a274e8880b2

      SHA256

      29ad3ad31948e4a58d4a6402b5dccdd5bfa384b996fb7ff94b7f4be29929b05e

      SHA512

      5041aaf1e8246933a1df0b34bb8772b7d7573a6767c29f728addabb89c5800701e552f5794f3e109cb9fb7b95190e2f96c115bbc9dcb86942bfa7bd56d3b5e5c

      Download Submit
    • memory/800-125-0x00000217F56E0000-0x00000217F5702000-memory.dmp
      Filesize

      136KB

      Download
    • memory/800-127-0x00000217F5770000-0x00000217F5772000-memory.dmp
      Filesize

      8KB

      Download
    • memory/800-129-0x00000217F5773000-0x00000217F5775000-memory.dmp
      Filesize

      8KB

      Download
    • memory/800-132-0x00000217F78D0000-0x00000217F7946000-memory.dmp
      Filesize

      472KB

      Download