Overview

overview

10

Static

static

10

eb39d81058...54.exe

windows7_x64

10

eb39d81058...54.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 00:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe

  • Size

    219KB

  • MD5

    12d0810dceeab63dbab8b939518f3daf

  • SHA1

    e0d62e37d87c7c2faed9ec9a4cb86f2e80a05582

  • SHA256

    eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454

  • SHA512

    8257bd52a2de8e6fcb8d5532afc7fe34c0f56fe1dff5e7248890800ff853eb4866d0815610f101a3ee2cbdcf371b3d5e49d3f18a60f3f725a19843fd8f204d50

Score
10/10
neshtasodinokibi19312persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

312

C2

abulanov.com

sealgrinderpt.com

brighthillgroup.com

hotelturbo.de

richardkershawwines.co.za

bajova.sk

clinic-beethovenstrasse-ag.ch

ebible.co

fixx-repair.com

bcmets.info

achetrabalhos.com

laaisterplakky.nl

espaciopolitica.com

mindsparkescape.com

lagschools.ng

tecleados.com

tweedekansenloket.nl

triavlete.com

luvinsburger.fr

sshomme.com
Attributes
  • net

    true

  • pid

    19

  • prc

    oracle

    mydesktopservice

    dbeng50

    msaccess

    excel

    msftesql

    steam

    tbirdconfig

    isqlplussvc

    thebat

    mydesktopqos

    sqbcoreservice

    agntsvc

    infopath

    dbsnmp

    sqlservr

    sqlagent

    visio

    mysqld

    ocomm

    sqlwriter

    winword

    mysqld_opt

    ocautoupds

    powerpnt

    xfssvccon

    thebat64

    firefoxconfig

    sqlbrowser

    onenote

    mspub

    wordpad

    mysqld_nt

    synctime

    encsvc

    thunderbird

    outlook

    ocssd

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    312

  • svc

    sophos

    backup

    sql

    memtas

    svc$

    veeam

    mepocs

    vss

Signatures

  • Detect Neshta Payload 10 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe
    "C:\Users\Admin\AppData\Local\Temp\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Users\Admin\AppData\Local\Temp\3582-490\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2040
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:1944
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:844
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1692

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    File Deletion

    2
    T1107

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
      MD5

      02ee6a3424782531461fb2f10713d3c1

      SHA1

      b581a2c365d93ebb629e8363fd9f69afc673123f

      SHA256

      ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

      SHA512

      6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

      Download Submit
    • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
      MD5

      cf6c595d3e5e9667667af096762fd9c4

      SHA1

      9bb44da8d7f6457099cb56e4f7d1026963dce7ce

      SHA256

      593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

      SHA512

      ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

      Download Submit
    • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
      MD5

      58b58875a50a0d8b5e7be7d6ac685164

      SHA1

      1e0b89c1b2585c76e758e9141b846ed4477b0662

      SHA256

      2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

      SHA512

      d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

      Download Submit
    • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
      MD5

      566ed4f62fdc96f175afedd811fa0370

      SHA1

      d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

      SHA256

      e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

      SHA512

      cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

      Download Submit
    • C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE
      MD5

      fc87e701e7aab07cd97897512ab33660

      SHA1

      65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

      SHA256

      bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

      SHA512

      b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

      Download Submit
    • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
      MD5

      f6636e7fd493f59a5511f08894bba153

      SHA1

      3618061817fdf1155acc0c99b7639b30e3b6936c

      SHA256

      61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

      SHA512

      bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

      Download Submit
    • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
      MD5

      b4cd2bac8aabdb6833c1fe651aa5dfd6

      SHA1

      f2498cf9cd76fc315918ad801b1b64b910c09d8a

      SHA256

      901660185a5724f78c2081dce79828af52453d55b7b807ec6880b382ea87d0f0

      SHA512

      ed5062410a8357c4a2da5d7b3541a586cbd951f603c39cf3f277242a1d2855548e57f60da1a49518ed5915ade4d5df4cc71e149a3c62805daad6ef553720778c

      Download Submit
    • C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
      MD5

      a49eb5f2ad98fffade88c1d337854f89

      SHA1

      2cc197bcf3625751f7e714ac1caf8e554d0be3b1

      SHA256

      99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449

      SHA512

      4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe
      MD5

      92e9c528aa262e5414f7820fb907b160

      SHA1

      660da1b587807df1af7a191bfde382e4d82ed3f7

      SHA256

      bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7

      SHA512

      60d91b35a6fad3128c0cab0b0a5549f71eadc7fbcaef4330668642aa9d9bee54a549dfdc79a5d16a12d77db53596c34c4e291c713075b0cc1ec5adb66276c745

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe
      MD5

      92e9c528aa262e5414f7820fb907b160

      SHA1

      660da1b587807df1af7a191bfde382e4d82ed3f7

      SHA256

      bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7

      SHA512

      60d91b35a6fad3128c0cab0b0a5549f71eadc7fbcaef4330668642aa9d9bee54a549dfdc79a5d16a12d77db53596c34c4e291c713075b0cc1ec5adb66276c745

      Download Submit
    • C:\Windows\svchost.com
      MD5

      36fd5e09c417c767a952b4609d73a54b

      SHA1

      299399c5a2403080a5bf67fb46faec210025b36d

      SHA256

      980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

      SHA512

      1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

      Download Submit
    • C:\Windows\svchost.com
      MD5

      36fd5e09c417c767a952b4609d73a54b

      SHA1

      299399c5a2403080a5bf67fb46faec210025b36d

      SHA256

      980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

      SHA512

      1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe
      MD5

      92e9c528aa262e5414f7820fb907b160

      SHA1

      660da1b587807df1af7a191bfde382e4d82ed3f7

      SHA256

      bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7

      SHA512

      60d91b35a6fad3128c0cab0b0a5549f71eadc7fbcaef4330668642aa9d9bee54a549dfdc79a5d16a12d77db53596c34c4e291c713075b0cc1ec5adb66276c745

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe
      MD5

      92e9c528aa262e5414f7820fb907b160

      SHA1

      660da1b587807df1af7a191bfde382e4d82ed3f7

      SHA256

      bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7

      SHA512

      60d91b35a6fad3128c0cab0b0a5549f71eadc7fbcaef4330668642aa9d9bee54a549dfdc79a5d16a12d77db53596c34c4e291c713075b0cc1ec5adb66276c745

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\eb39d8105813678544ed2c266e50e01ce45f594287f19f48ab4359930a753454.exe
      MD5

      92e9c528aa262e5414f7820fb907b160

      SHA1

      660da1b587807df1af7a191bfde382e4d82ed3f7

      SHA256

      bf43061a8849ce6aa78e82f830eba1cd36f7e753594aea195661ad9e8aec63c7

      SHA512

      60d91b35a6fad3128c0cab0b0a5549f71eadc7fbcaef4330668642aa9d9bee54a549dfdc79a5d16a12d77db53596c34c4e291c713075b0cc1ec5adb66276c745

      Download Submit
    • memory/268-62-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/268-68-0x0000000000270000-0x0000000000276000-memory.dmp
      Filesize

      24KB

      Download
    • memory/268-67-0x0000000002660000-0x0000000002769000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/268-66-0x00000000002A0000-0x00000000002BF000-memory.dmp
      Filesize

      124KB

      Download
    • memory/268-65-0x0000000000EB0000-0x0000000000FDD000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/268-64-0x0000000000E10000-0x0000000000EAF000-memory.dmp
      Filesize

      636KB

      Download
    • memory/268-60-0x0000000000130000-0x000000000013A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/268-63-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/268-61-0x0000000000140000-0x0000000000141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1600-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp
      Filesize

      8KB

      Download