Overview

overview

10

Static

static

10

7598009f6c...12.exe

windows7_x64

10

7598009f6c...12.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe

  • Size

    205KB

  • MD5

    b4297cf818bc7a28cf5bc359cc55db34

  • SHA1

    82180d10efb373866648e85e1b37a7ade146fef3

  • SHA256

    7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312

  • SHA512

    7e05afa695a55c805f92c864d712919d991b6841c695034058fbf37076a8dcf216adcfcfc2f2b3a749c4c087b853e5ad5f9e71cd3c303272b8689c79a3aab7cf

Score
10/10
neshtasodinokibi191112persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\tzx6t6l4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension tzx6t6l4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/49122D3739D71715 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/49122D3739D71715 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 68vn5YipjVUNEyEAGhtJb8fG+axODm2iGjEN2RBzDWk6myBqBZb1OxICTZruUFzO t8Cz/UrHeQw/ebxbvl3U+/mB8qt2H6hi2krLNQ8cEK0yefycL9gixs9zwkExP9HV 6FZta/4DQ+Hr7vqk1dtdw1HeUQjkjVPvpHTxoftIJ7T97u7cd8E+hckvXP0wjc0t xliB5CKcvu38PPZXwiwqaCIOa/J5Be6SsMx8E1A8e+5sv7RqscNb6OPBOFaZf4FO rJ6eq57h3ePYY/mlA4RWKe7/B+xZrnmsRlKNLLl6beqYnAkgkwlaJTLOMUC+upRE l2+2BuAEJ9I8jxaN6IfcoRyLSskPeoExZPckyNtKHOOGveicpvMHbRB+7bCVNqUd aYmiMFhH+srOhrT+exH56mpXZAFXIgUCYJmqMUCFvthnENxJtve3HQaetNQ5pmYG fWGu/0ItMWNBGurbJ/jEVwpXaNabeoEwWoSvSwYYAVZrQN1v/5vAihjgjx5YqQ42 WOQggz2UR1HncY1SrQnmp0D9ua6EKfJRSL7awMvrw9CW5RxJlVfBYDv0OS6G1Zcs P4gex8GVbiNDQ47qR78xS8lz3myvMyZbS4Tz5PaCgonSnK+8YdO43gNO2d3L4CyO MS02fvAA7pG2egJSlELl2MtWy6sHr7SrnEDFngwawLVa4DI3zYu2Hhq6BSJl8fz+ 2OjVL54C9Z2fDZQy64safwy0G9vdmBXXMpigPRtAK+Pp+7OqHIpUN+g4PMAm3Fau vZ3ZvxFDSKduewHgAnQaUq6gFViiL3XTiF4qy7eqvhuGIFnNzbG6X7ptFUDMPB7F ARmdzEgv0Cwryn4EgZHyUqnudZOIZl3Q+UggFUWFxs3bdlZXXTZklqbOxjUBk4oC AgwYsWed5N2SJAs0ltOYKOA9vGCZ8/Rs7HU4GKHP54QWiXQqkaBcoqGvT710Zy53 aLe2llsjZ3widXVhI5fGzCG0wSLE8qaP3ss8jW+pQqukr9HYY8DAgMTiI6Izzu52 c04zNnJphtD7biO6Mz52nqMGoEdj8h2LBX7wl9uWb/Yk2ncMZwxIhOMjJib4lECo Ws9BIAgRFlIWvyLKqvX3NBCDgtTFV8RmXhoIQiVP/uReQNpKSlovKK/gCG0uagJv IdJZSZmYLOE= Extension name: tzx6t6l4 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/49122D3739D71715

http://decryptor.top/49122D3739D71715

Extracted

Family

sodinokibi

Botnet

19

Campaign

1112

C2

globalcompliancenews.com

mazift.dk

topautoinsurers.net

marmarabasin.com

pharmeko-group.com

jacquesgarcianoto.com

affligemsehondenschool.be

der-stempelking.de

worldproskitour.com

kdbrh.com

bookingwheel.com

scholarquotes.com

plbinsurance.com

ntinasfiloxenia.gr

noda.com.ua

avisioninthedesert.com

kafkacare.com

soundseeing.net

foerderverein-vatterschule.de

lassocrm.com
Attributes
  • net

    true

  • pid

    19

  • prc

    outlook

    infopath

    mydesktopqos

    oracle

    thebat

    steam

    ocomm

    msaccess

    encsvc

    agntsvc

    tbirdconfig

    thunderbird

    isqlplussvc

    xfssvccon

    excel

    mydesktopservice

    dbsnmp

    ocssd

    synctime

    powerpnt

    onenote

    winword

    mspub

    visio

    sql

    dbeng50

    firefox

    sqbcoreservice

    wordpa

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1112

  • svc

    mepocs

    memtas

    sql

    backup

    vss

    sophos

    svc$

    veeam

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
    "C:\Users\Admin\AppData\Local\Temp\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:372
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1812
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1652

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
      MD5

      378af5669eba449d5c89758896c1687b

      SHA1

      d6dd944a31221af6da5b67802451dee63d1c44bc

      SHA256

      645f2904cde1bda224d41bf6bec2140999c5ddf1d34149be7a4f092417a18392

      SHA512

      8f12495e91fc8ce1adcbb0b4b8abac93d6baf94b66a3a42c05bd012804a798f41a8752ec28519bbea6b411e113fc3584fc1b3693251e9e1497b13ae6cbd98ce4

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
      MD5

      378af5669eba449d5c89758896c1687b

      SHA1

      d6dd944a31221af6da5b67802451dee63d1c44bc

      SHA256

      645f2904cde1bda224d41bf6bec2140999c5ddf1d34149be7a4f092417a18392

      SHA512

      8f12495e91fc8ce1adcbb0b4b8abac93d6baf94b66a3a42c05bd012804a798f41a8752ec28519bbea6b411e113fc3584fc1b3693251e9e1497b13ae6cbd98ce4

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
      MD5

      378af5669eba449d5c89758896c1687b

      SHA1

      d6dd944a31221af6da5b67802451dee63d1c44bc

      SHA256

      645f2904cde1bda224d41bf6bec2140999c5ddf1d34149be7a4f092417a18392

      SHA512

      8f12495e91fc8ce1adcbb0b4b8abac93d6baf94b66a3a42c05bd012804a798f41a8752ec28519bbea6b411e113fc3584fc1b3693251e9e1497b13ae6cbd98ce4

      Download Submit

    • memory/372-59-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

      Filesize

      8KB

      Download

    • memory/372-60-0x000007FEF33E0000-0x000007FEF3F3D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/372-61-0x0000000002490000-0x0000000002592000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/372-62-0x0000000002592000-0x0000000002594000-memory.dmp

      Filesize

      8KB

      Download

    • memory/372-63-0x0000000002594000-0x0000000002597000-memory.dmp

      Filesize

      12KB

      Download

    • memory/372-64-0x000000001B700000-0x000000001B9FF000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/372-65-0x000000000259B000-0x00000000025BA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1584-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

      Filesize

      8KB

      Download