Analysis
-
max time kernel
141s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 00:51
General
-
Target
e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe
-
Size
198KB
-
MD5
858c29efee084e86616b21fdc4d2a3de
-
SHA1
d642f7ecda3fa135761d68eb20f44d66eba798fa
-
SHA256
e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37
-
SHA512
673ffc06a6c2b66808c4b174d9b90d440b320b63c4076731bf6f96fbf33ef56e8930b4ce0ec4b0e9f710f1db952cb6b1bb178a1540d6d76950dd9c646e22e1e1
Malware Config
Extracted
sodinokibi
19
29
schluesseldienste-hannover.de
alpesiberie.com
bratek-immobilien.de
bcmets.info
log-barn.co.uk
diverfiestas.com.es
nexstagefinancial.com
mundo-pieces-auto.fr
marmarabasin.com
walterman.es
juergenblaetz.de
centuryvisionglobal.com
witraz.pl
aslog.fr
qandmmusiccenter.com
awag-blog.de
domilivefurniture.com
penumbuhrambutkeiskei.com
from02pro.com
teamsegeln.ch
-
net
true
-
pid
19
-
prc
mysql.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
29
Signatures
-
Detect Neshta Payload 24 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi/Revil sample 5 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe"C:\Users\Admin\AppData\Local\Temp\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEMD5
7bffdf305e41f531e6e963c5585b361e
SHA10a6a8d053af1f3be641f576e0f1012231596275f
SHA256e826d5da72e45cc3cf73c79b0c112abad603a871b1ae5163d6145c77fc6deded
SHA512cf0d81085fbdcd66141e1ed443d61e2c9e2af2109b78f0417f23b518fa5784b1ea3efd90a6fb92d88ca1b1fdd828631979fc1c033750e7cb7c5c56be54ec82f1
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeMD5
5ea5030df11d694bf9d0df8c4079ee37
SHA1f4802bf1ce3649eeb0af9b4c5fecbb9305fb031f
SHA256df4e6718dbc33b059d9faa5c7a8344375bdfe4808bcf4926ebbb00f8d7283dd0
SHA512d6eec8151110323ab06963b1ee451e9c6ecaed6720421c9a5e9afb0efe2cf295a8cf083592fe83408e930f1b88c9ab3f968caba5a6d76a3aa41ee35cdfab80b5
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeMD5
100b5b7378227048bc1e1b82cb58635d
SHA1805cff59e7dc4a42228c3b31ff945e6c0c844793
SHA2561002540ac8ecfcca62bcb5afe7e247a08f5903bbdc8fcf090111e9658d28085d
SHA512e464bdfe873bd99f118081bfac51fffe5c1e67b95d7af6a58e4090ed4cbac01baf2c8b161ef8e4ae2882e8d731bab7527001ac94b9f2433b0dca18847da92aae
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeMD5
f546db5b23603cb1033666a040eb0ab8
SHA1edc2a991e64f1bee0edff6750597a106cd34c248
SHA256ad474d99802aa98da02ed4c88da79d00a98be528973ca13b48189709b030cfec
SHA51226ea3c81f4b802f106d345b8b9a0f32da637247747e310fba0d46eb9dd8565e5a724b312eaf19ed0c256aaa4a6fe27e6e18eab61e36653edbf67207baaa8c0ec
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXEMD5
d4c158edc16d0878a3c227821461929a
SHA1035d265d4880cf55c61968b03810621f9fe932b7
SHA25605480d61d46b9b97cc06bdea27c9a6734a085ad129b240f695200d559a0e3ac0
SHA512a6cdda1c93da5d7f2ecf64b14cdfcead0125a2f053858d2429e5f5113c3a72e02a08734741a03375a1cfcab4b089ef1deaf6fec026254448dec142fdd437379a
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXEMD5
8baeee0719d79bece62f3b6ff8f9a897
SHA1185e3ecfc142f929d8503eb170296d68325a53c4
SHA2563eab94d984b013888e7c2aaf516347ad7ce60ab545446dac9d81a379213c3d0c
SHA512b0d9698ff0f87f3ae4bcf2d42315c11e2dba6b7d90a6320775c5adcffce51a54498cf581960360333cb39877122df78b28a3f86b602ef4fae766f04b92a14e1b
-
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXEMD5
33992252e9faa6ff868ed7aed3596b3b
SHA1b440d282b9e2597bf70a88dc34ad9cb4bcbd37cb
SHA256f5112af66850a620f46abe76a499d86c8ac77a9fe565a56c95919c5fc6a829e9
SHA512d51a8270b7d150764151fc5ee13f80122f292a18c9189b03fa55c6eb380aff99b5913e92b479ef4f30f66e12629b35f833f4f38e7776e0f20dc1c1fd2217a891
-
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXEMD5
2368371384a01f5d26a1616738a4637f
SHA17f65d7f088f06222c0b33d7e0ca8b865a2a94d4e
SHA2565d9742491fbec4ec3ae8dfd2d65812bed2f0daf5fe54d37a4b35c817610297db
SHA512b3441ec083d0d7e821ec8329c540900c26402fc2d66138005b983a3dbb257fc4afcfc877bb9742836045b59f17b6525d05aece067cdac954ad2e3cc8684a7823
-
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXEMD5
efc0f01dd1778c34d16d21a517a8258a
SHA10bae66fcb9bfc1899ae875a117a4d18fca72407e
SHA25693d299ef4a9a72a4dc95029e4c6636cf5dba8339f008bae62eca98ade1890ead
SHA512a68a04e219dbfc82220ed6d5a61616f1d9abd70dad4a4436c53a625a73b77a7bd13f7eec1eae3797985023775fd5944d25bc096006ce2ea3f66bd59f6676d59c
-
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXEMD5
7bffdf305e41f531e6e963c5585b361e
SHA10a6a8d053af1f3be641f576e0f1012231596275f
SHA256e826d5da72e45cc3cf73c79b0c112abad603a871b1ae5163d6145c77fc6deded
SHA512cf0d81085fbdcd66141e1ed443d61e2c9e2af2109b78f0417f23b518fa5784b1ea3efd90a6fb92d88ca1b1fdd828631979fc1c033750e7cb7c5c56be54ec82f1
-
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXEMD5
341c2a927f4b7220a63af0ca6b7f3887
SHA1e65f5a81f7a04fdd3b5874e528ba7f5944cd5441
SHA25687a9bf4dd435399c6bbbfc0b5543538d0c5a2e33d8f374c63bf542bc9fa9cd8a
SHA5125a8c7e2c605e937e4e4dfff0347ec576673d35abdf36c63fdc4aa0c1c48870d55b902429b2949c186b910e76e5e6c4986f7a1612e34a4f60ac7c8e0f9c71d99a
-
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXEMD5
f798867dde77bafe5285e979d4fe2ed6
SHA114b55d2440c6e6c683106a85f55cd7de73bac021
SHA2569b021424edb7f761db762b0e4bfc05a569df605492a6964fd962d5e07f7b90e0
SHA512fa53cd5de38734a3063d8f92b690cd4228397b5820cb60f7f36b07f1a735fd7c0ff9cf26e2ee01de89fd6f74e10fd908fc4767a246d9f875a5b81830942b8a38
-
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXEMD5
d5daf9abad3166c668bea87625996be0
SHA17ac4aab5fa06c5b0254adb5006a7292e1d2126c7
SHA25677e7df78f21322b7e035a091cabe90eb5a2929176bb675483043e5d02c548d58
SHA512f4e0a71a3165a56b006cb34838ba766a15280f39bb1f3097f823718dda9689e02340d33c69bb03d113c3664daa2c7a94be824d7cb90d1b28c290ff2d7c8ee8cb
-
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXEMD5
feacea73064b02895eff292d583992a5
SHA18b9d9ec8dd742bb34cd05848c0de5b6cb757b65c
SHA2562195cd66177ef054fa340a3978129757331f78d651e5f34d57d5420737bf7de1
SHA512e843cb06329f913b7ec0f0fddd0ee01dd6b90bcc21ce9fab4fc1e651999ee4a00bfac4566b89dbf2dac90e3d4493a02e352c60d072179485848e2077776f6715
-
C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXEMD5
f88528d87d8f8cbbd74c4bcea43192c8
SHA15834bfa07b1a772e98f6b64ac6dca03d41de4a39
SHA256a7d8988a2458d19152bb28aad4eaf6eab08fcb6a0d6e423638a823de354ec192
SHA512d2583d88d56100146f4835f83fbd914ed694607cc6363e27f78b49b17ee4532bc80ecf3fca88aa2bf3e21b813b1d2747dbc55fa3650eb46842572a8b06261190
-
C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXEMD5
dd1239a44b96b5362a59f6a6e41b57b7
SHA1dbbaf02b0d117ec7e5ddb3777ef49232e71563ad
SHA2563637207bd997b4948695470b657a0d34a6fd4da340227ffe610b82d130ff4f40
SHA5122e41b1a7a8c7943ef8458facef958ff87fd91b475cd0412a7d13758e71c5d0c9d9d74b7ef01f553660151563e3b8823de50647cb498d18c6c84e8643c0cbcbcf
-
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEMD5
1f547fb2aa47a885c18aa2259b0de346
SHA1a312732d524eaae0b590902fb776a67adc3fa0b4
SHA2560e94a45ec7bea8bf611f6645b6ef67f8b2d3f6a6b9bf58e822c4efb9713d4e4a
SHA512b16c33f5670a0e27d792ba9d2e2a1ad31a45a24ee4919e6de89ffbe302d3810bc18bb0d80199d3e186bfb3c76b7322c0d9f7817a2a97fffbaa3937ed0f678db7
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEMD5
5e2e10ed5362f576a7f203b4e0515f65
SHA1c4805ca58ce9d1cb99ba74c43cceb6b4f4906d7f
SHA256517b7ae5247c9207eff450e0a8699ed2fdf0fa5a2bf97c11c12252d8de58becc
SHA512a21d154479886484383ee9b013e601339b56882782080a9a7e18ff25568630abed3ff07ec6b0e62eb35e4b0873aec7a76f4c29c10c51ea0f63b8cd5b470459b1
-
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXEMD5
0735382b4f8d9d1c007f58c1c1f280ed
SHA1c16f22c0ee98a99289378025a1deabf36ee4d948
SHA256efc0aad354cef7921983a3d66d0f7ec1e83c39790590a33dde97b8ccaca3f5cd
SHA51246b77af08b2994700fd7deb7506ebd05f8fc229638bd0aaea9fbdd14706c876d20bea05aba5aaece6924599618971f278652815623701e974577eafa4e8789a4
-
C:\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exeMD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
C:\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exeMD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
C:\Windows\svchost.comMD5
92de9dd35422ed5eb81d1b18c07d748c
SHA16e4571c89618ac100d36e8965cc21b1c78ef0575
SHA256a0d82923b587f61991b80d5769aa91727d62c06e46ad0146b1fb9fa2f9839118
SHA512e0712a1fe820c0dd12332fb5f53cfc7a8e60882b5cf193a36b8dd10af02f95fe26cb0db3b4cad7b516b6d6cdf51ed08f0949c85b88a17ae25874448342013c3e
-
C:\Windows\svchost.comMD5
92de9dd35422ed5eb81d1b18c07d748c
SHA16e4571c89618ac100d36e8965cc21b1c78ef0575
SHA256a0d82923b587f61991b80d5769aa91727d62c06e46ad0146b1fb9fa2f9839118
SHA512e0712a1fe820c0dd12332fb5f53cfc7a8e60882b5cf193a36b8dd10af02f95fe26cb0db3b4cad7b516b6d6cdf51ed08f0949c85b88a17ae25874448342013c3e
-
\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXEMD5
d4c158edc16d0878a3c227821461929a
SHA1035d265d4880cf55c61968b03810621f9fe932b7
SHA25605480d61d46b9b97cc06bdea27c9a6734a085ad129b240f695200d559a0e3ac0
SHA512a6cdda1c93da5d7f2ecf64b14cdfcead0125a2f053858d2429e5f5113c3a72e02a08734741a03375a1cfcab4b089ef1deaf6fec026254448dec142fdd437379a
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXEMD5
2368371384a01f5d26a1616738a4637f
SHA17f65d7f088f06222c0b33d7e0ca8b865a2a94d4e
SHA2565d9742491fbec4ec3ae8dfd2d65812bed2f0daf5fe54d37a4b35c817610297db
SHA512b3441ec083d0d7e821ec8329c540900c26402fc2d66138005b983a3dbb257fc4afcfc877bb9742836045b59f17b6525d05aece067cdac954ad2e3cc8684a7823
-
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXEMD5
341c2a927f4b7220a63af0ca6b7f3887
SHA1e65f5a81f7a04fdd3b5874e528ba7f5944cd5441
SHA25687a9bf4dd435399c6bbbfc0b5543538d0c5a2e33d8f374c63bf542bc9fa9cd8a
SHA5125a8c7e2c605e937e4e4dfff0347ec576673d35abdf36c63fdc4aa0c1c48870d55b902429b2949c186b910e76e5e6c4986f7a1612e34a4f60ac7c8e0f9c71d99a
-
\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exeMD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exeMD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exeMD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
memory/1524-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB