Overview

overview

10

Static

static

10

7598009f6c...12.exe

windows7_x64

10

7598009f6c...12.exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe

  • Size

    205KB

  • MD5

    b4297cf818bc7a28cf5bc359cc55db34

  • SHA1

    82180d10efb373866648e85e1b37a7ade146fef3

  • SHA256

    7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312

  • SHA512

    7e05afa695a55c805f92c864d712919d991b6841c695034058fbf37076a8dcf216adcfcfc2f2b3a749c4c087b853e5ad5f9e71cd3c303272b8689c79a3aab7cf

Score
10/10
neshtasodinokibi191112persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\6rt29-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 6rt29. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46F5298586C2C715 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/46F5298586C2C715 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: v96EoUxMSB/9pFO3ChptAw32neli22V2E0koaIoIlbaVTJAQEeprOfoazOk4Tm8A dgKzHJIwDn6YZI2NiHYsz9xhFzeWfMVGmsMwK/p/zhnv4XeT0iFhcUj4j4sRi2uk +V/0Y+ZZrOiqLQB31c33Z0PRefKxT2fxGMZFGl+rxsRmEy+Wb2PFHGJkxamBDHPZ Ucs2FN+xoXal95smyebfX5WBYfObsJ2BwpFpsgRjjkwdNQ9qWtRPavIJRRG4t38h +uc6DjXyhO+lKJd9Cs9cZ0elZj1AnebXUR26O1spVOuDVN7KnnO+bF5GXb5WxWL7 AsyW9E9mqZugtOZHMmhzru9eTNF8o9IJ5I+hEkvKvH0OQWn/MqaHNbmtG3xaUyR6 nvJn+rz2fWMRTS5aFbkO+h4yZzQLpID7BaVMrDyS6pBNJi80Xsf7vUV48p6w+PIa bx8hYYU3pYVwDeHKaOK0ZLyVL+WGviPpLYwpnyqNJjQvB6m2moGEPs1PTgbo/7L5 dtML7fPmMzT/P72nYHj1X4/ZK12/BTkdcDV4KFpFkjXVSdCDiBdoPuy7bepfa8JY TIxG2MXUyvf7GfsMjy8YC3+3qeoTJXkZPGS+Fbl34Yprci33zisMqhPmDEaZQgBf Vpc7F8W6/9M4nJjGTywb+C61yUZkju/Pjer1VcOeD2D3DP6sFtIYzIjhNyAgtLWD tS2tBmqIlfWE8z3z+YcNGImS+ayX7KbIbbfUZjdzcawaN0HyxD30qM4byyD8pffW gNQVCAIO39ETI39SU8xj2rhxC3E40OfH/Ujc8j51VCoAHmVMhU70h9C1fRkF7eG8 11xmq3SDAAJKsW6AB5iE0GdKECTfrZu45NviO9JKjIgAzWxCEs6LJJi9E0zLl/TG 5Dz2W7Zw9CHWKaIoU4fAnj198/DfEBaJEAJLND00ZiIGZo6pULqMg0qoQ1YPef0f bXCxpNPGFzCKuffbqrCouIktlJQvNnmPBty6uL7q3MSxjfIpoz4t4KEJRFifHG7e 9jOpCk6WYdr7YxwDyILnJXiTD9tYa7KckRJsdL5A/xLIQP+qbF4ToX6W7cYqLG79 I2rTMZC+YpnpHkWEZrBebv3LwGmkG0/XCp5fdkgLW5UuxNK63LWi4H2N Extension name: 6rt29 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/46F5298586C2C715

http://decryptor.top/46F5298586C2C715

Extracted

Family

sodinokibi

Botnet

19

Campaign

1112

C2

globalcompliancenews.com

mazift.dk

topautoinsurers.net

marmarabasin.com

pharmeko-group.com

jacquesgarcianoto.com

affligemsehondenschool.be

der-stempelking.de

worldproskitour.com

kdbrh.com

bookingwheel.com

scholarquotes.com

plbinsurance.com

ntinasfiloxenia.gr

noda.com.ua

avisioninthedesert.com

kafkacare.com

soundseeing.net

foerderverein-vatterschule.de

lassocrm.com
Attributes
  • net

    true

  • pid

    19

  • prc

    outlook

    infopath

    mydesktopqos

    oracle

    thebat

    steam

    ocomm

    msaccess

    encsvc

    agntsvc

    tbirdconfig

    thunderbird

    isqlplussvc

    xfssvccon

    excel

    mydesktopservice

    dbsnmp

    ocssd

    synctime

    powerpnt

    onenote

    winword

    mspub

    visio

    sql

    dbeng50

    firefox

    sqbcoreservice

    wordpa

    ocautoupds

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1112

  • svc

    mepocs

    memtas

    sql

    backup

    vss

    sophos

    svc$

    veeam

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
    "C:\Users\Admin\AppData\Local\Temp\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1448
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1592
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1144

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
      MD5

      378af5669eba449d5c89758896c1687b

      SHA1

      d6dd944a31221af6da5b67802451dee63d1c44bc

      SHA256

      645f2904cde1bda224d41bf6bec2140999c5ddf1d34149be7a4f092417a18392

      SHA512

      8f12495e91fc8ce1adcbb0b4b8abac93d6baf94b66a3a42c05bd012804a798f41a8752ec28519bbea6b411e113fc3584fc1b3693251e9e1497b13ae6cbd98ce4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\7598009f6cff5f998c2f24f77043fb6ec8dcc8cb9dc45a6224758d31cad55312.exe
      MD5

      378af5669eba449d5c89758896c1687b

      SHA1

      d6dd944a31221af6da5b67802451dee63d1c44bc

      SHA256

      645f2904cde1bda224d41bf6bec2140999c5ddf1d34149be7a4f092417a18392

      SHA512

      8f12495e91fc8ce1adcbb0b4b8abac93d6baf94b66a3a42c05bd012804a798f41a8752ec28519bbea6b411e113fc3584fc1b3693251e9e1497b13ae6cbd98ce4

      Download Submit
    • memory/1448-122-0x00000275D8310000-0x00000275D8332000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1448-127-0x00000275F29C0000-0x00000275F2A36000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1448-136-0x00000275D8700000-0x00000275F07F0000-memory.dmp
      Filesize

      384.9MB

      Download
    • memory/1448-140-0x00000275D8700000-0x00000275F07F0000-memory.dmp
      Filesize

      384.9MB

      Download