Overview

overview

10

Static

static

10

e125ef182c...37.exe

windows7_x64

10

e125ef182c...37.exe

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe

  • Size

    198KB

  • MD5

    858c29efee084e86616b21fdc4d2a3de

  • SHA1

    d642f7ecda3fa135761d68eb20f44d66eba798fa

  • SHA256

    e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37

  • SHA512

    673ffc06a6c2b66808c4b174d9b90d440b320b63c4076731bf6f96fbf33ef56e8930b4ce0ec4b0e9f710f1db952cb6b1bb178a1540d6d76950dd9c646e22e1e1

Score
10/10
neshtasodinokibi1929persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

29

C2

schluesseldienste-hannover.de

alpesiberie.com

bratek-immobilien.de

bcmets.info

log-barn.co.uk

diverfiestas.com.es

nexstagefinancial.com

mundo-pieces-auto.fr

marmarabasin.com

walterman.es

juergenblaetz.de

centuryvisionglobal.com

witraz.pl

aslog.fr

qandmmusiccenter.com

awag-blog.de

domilivefurniture.com

penumbuhrambutkeiskei.com

from02pro.com

teamsegeln.ch
Attributes
  • net

    true

  • pid

    19

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    29

Signatures

  • Detect Neshta Payload 13 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe
    "C:\Users\Admin\AppData\Local\Temp\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3720
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:4056
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
    MD5

    b037307e29aa4af87994396982863bec

    SHA1

    ccd457d49009b9b73e21a74e095b2fb799c0692b

    SHA256

    43e9af0216a81196ac032b6435ba38e033446f658516257b6babf089865de92f

    SHA512

    cd80ef72ae109cd49d868c884a05ac6ade4ef8259c713af861761dfcd86edf038ce6c86aaa890663bfbf1d3002467143162fa6eebc2fdd843e662a69835f8e01

    Download Submit
  • C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe
    MD5

    03da81bd82595fef7ff51728efe1205b

    SHA1

    87f7eb2813bc9e13750384cdec376115dfca7198

    SHA256

    bd3091207e51be77cb9586561ba5adf2d21d79cd6a2401aee5d3ca05771115a8

    SHA512

    d5c141d133699de2c545b8a59f694eb65ae27e8d317c9f4a61ffd704d8a50d3a75622c70ef86b31092a6e6c79fa3794dd5dc382ee7cc74fe8d44f08ee0d50245

    Download Submit
  • C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE
    MD5

    0e8be2c68e210310b0cb290d64a7ef90

    SHA1

    5951db9d08b97ca8082d365dbc34ea65e1fcf6eb

    SHA256

    d8e37aae2699dd8b8732b2ad45db7a41c32dcba1b68c26ee4bec9f17b2ede7ac

    SHA512

    8853f668d56350e913e7fbfbfbb26d5c62f19be6ec659593093f2c7ef1ef23e1ca6ffc48591bae29d4db8338f04c1afd9c241392c4236f8a6c0529a593f8e0b0

    Download Submit
  • C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
    MD5

    d0d894ec824b3bfe284da54780bdcf00

    SHA1

    a08eaa4a56db8d719eabdbde5f31a28e63d4d2ed

    SHA256

    456c021799b9e1edde791001d5f0e958b98969dff91705d597d329ab27960edf

    SHA512

    c9f9bbb70f69eea20d63edfa1d53bd01fe524ce39ddd42530b19f887f9a13fb937573f43df3869cc331ac9d446377511faf29543b11245574e069d313877a98e

    Download Submit
  • C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe
    MD5

    a3b12b063dbb328e39e02d5a05285441

    SHA1

    dc7e62de99336f34b4e42e0ba5bd70b32a89651b

    SHA256

    0dd46c290c1f89f4f792a0e69de660af15e7312518e6a50c924f78df84d06a95

    SHA512

    dad7f0ba39ba22160ea5c59130982573866c4245480b2e4212ad3df83b5ce3c9c3296cf180bd582f2c32c844317030dcf7518056b05881b09d049105a87f2dea

    Download Submit
  • C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
    MD5

    81b29f62422cd1fcc08b93326a1bc2df

    SHA1

    14e416bf2e85b50991effa9b66c083654d80c7d5

    SHA256

    de3642489ba5dc9b713acaa3b2cf28aa5ec93c7538b0de01c6297df4e9f0d214

    SHA512

    18e38d2b95ddda22ac2e33689926fd549d882d98da75384ae72b16f3964ad0a2e49f8dff001cb1b9a188f0b802d203fc16e776c00e66b655e2fcb5da728a7dc8

    Download Submit
  • C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    MD5

    f741c83a217c32917c1caa554a717459

    SHA1

    9aabaee146fc72f462fbb3d664fbc60f6c47082f

    SHA256

    e6be910f9ea35e2779523a8d531ace0d449259938e5419f94a79908945c7a109

    SHA512

    d64df09c688bd66db2ed837e09911bffe3b60f99d0b03991703396470e068b436d86a408e486077eb5ad7e5828122f53c6a621f3121cbb4cd9f85072193490ce

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    MD5

    02973dbeae74f92af18274be31535a2a

    SHA1

    cd8a7ce9cab1fb07da6b88abe12178d07f19af8f

    SHA256

    c80ee122dbfe04ef872cca4fe63a130909d9f7d14822f6fda21149f79f78bb2d

    SHA512

    48515f62af2b1991fb7b1adb3c362b4a4fd7dbf5a5503a13bd45996a8a16822d3ca09d9c83599b2f94c2287084b33f2b5fb54fb52113563c27fd5a8b87782a0e

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    MD5

    f741c83a217c32917c1caa554a717459

    SHA1

    9aabaee146fc72f462fbb3d664fbc60f6c47082f

    SHA256

    e6be910f9ea35e2779523a8d531ace0d449259938e5419f94a79908945c7a109

    SHA512

    d64df09c688bd66db2ed837e09911bffe3b60f99d0b03991703396470e068b436d86a408e486077eb5ad7e5828122f53c6a621f3121cbb4cd9f85072193490ce

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
    MD5

    b8e1a5ed41e1440f5793134d837c99cb

    SHA1

    1102f59165fc7605156fb65dca48168d81af2fb7

    SHA256

    22caa8c595be7b4067bec256a37618eda725962b4c36ad256d9f67b7b974a75c

    SHA512

    4681d6f861cec8a59ed40cd3f6ef94cd0645173ce059c97609d3c025926469c5fbaf2cc6e290950868b7bf65fd4d9c6aa0762e4e0846e2354935d57968ded9f9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\e125ef182c6de161f75933a552c39677d842d854c317da92518191054fd83f37.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit
  • C:\Windows\svchost.com
    MD5

    92de9dd35422ed5eb81d1b18c07d748c

    SHA1

    6e4571c89618ac100d36e8965cc21b1c78ef0575

    SHA256

    a0d82923b587f61991b80d5769aa91727d62c06e46ad0146b1fb9fa2f9839118

    SHA512

    e0712a1fe820c0dd12332fb5f53cfc7a8e60882b5cf193a36b8dd10af02f95fe26cb0db3b4cad7b516b6d6cdf51ed08f0949c85b88a17ae25874448342013c3e

    Download Submit
  • C:\Windows\svchost.com
    MD5

    92de9dd35422ed5eb81d1b18c07d748c

    SHA1

    6e4571c89618ac100d36e8965cc21b1c78ef0575

    SHA256

    a0d82923b587f61991b80d5769aa91727d62c06e46ad0146b1fb9fa2f9839118

    SHA512

    e0712a1fe820c0dd12332fb5f53cfc7a8e60882b5cf193a36b8dd10af02f95fe26cb0db3b4cad7b516b6d6cdf51ed08f0949c85b88a17ae25874448342013c3e

    Download Submit
  • C:\odt\OFFICE~1.EXE
    MD5

    6c0a9241dda1b6c3f145e0ef34e319e3

    SHA1

    21bfeadf7d298297efef944e9ddc18f1db67ce79

    SHA256

    9859029cd15d909f8f5e5fd96fd6c7899ebe81614892b90d3fa557b6c2197863

    SHA512

    05d39cd5d4f29ea8c9922bfac22606baa3f2c53720623f6ab9eaa1ea737e1f20ca27e3bf54812d17e9a63177dd25d2b4d9a2d02b3e0af0e5bbeb4e4fbb992bc3

    Download Submit