Overview

overview

10

Static

static

10

7227cb2316...68.exe

windows7_x64

10

7227cb2316...68.exe

windows10_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe

  • Size

    205KB

  • MD5

    ea0acb3bfaee6386a9270cc314ebfed9

  • SHA1

    bdc92076c2851d408af99a4c6a6a42a4a12c5d9d

  • SHA256

    7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68

  • SHA512

    f29d48b87085e8fb3502b48d97f8499baa375bfc91a0b96bfdc1e733b24eb0f5ad8baca41f145614943746fc42a30c3408b6a3e4332c8ddb2c14cf45a406f532

Score
10/10
neshtasodinokibi191428persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

1428

C2

ketomealprep.academy

lyricalduniya.com

ikadomus.com

volta.plus

ykobbqchicken.ca

axisoflove.org:443

supercarhire.co.uk

autoteamlast.de

makingmillionaires.net

eastgrinsteadwingchun.com

pilotgreen.com

kafkacare.com

biketruck.de

stanleyqualitysystems.com

rattanwarehouse.co.uk

humanviruses.org

keuken-prijs.nl

jobscore.com

atelierkomon.com

onlinetvgroup.com
Attributes
  • net

    true

  • pid

    19

  • prc

    thunderbird

    ocssd

    sqlagent

    firefoxconfig

    powerpnt

    steam

    sqlbrowser

    synctime

    oracle

    infopath

    sqlservr

    agntsvc

    winword

    dbsnmp

    sqbcoreservice

    dbeng50

    mysqld_nt

    tbirdconfig

    msaccess

    mysqld_opt

    wordpad

    xfssvccon

    isqlplussvc

    excel

    thebat

    mysqld

    onenote

    ocomm

    msftesql

    mspub

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    sql

    veeam

    vss

    sophos

    memtas

    backup

    mepocs

    svc$

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 53 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
    "C:\Users\Admin\AppData\Local\Temp\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:796
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2180
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2204

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
      MD5

      83e92758d97a8daac290affd8172123c

      SHA1

      10784ae6ff2685f10aa1f5d16c2981de7be8702a

      SHA256

      ba76db6dc7d7045db201d4a8dba17f17dc91d735490976fbd1ef9a0b1dcc38a7

      SHA512

      4de3a34df593c4cafeb2046e1b3dba6653f089739871ad0f36ae09387555fd8c6c5c09f4e42cc2db2bffd388fa8e5b0a2eac752af609467c725fb5ad675ce42d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\7227cb2316b9e3b678698609b41ba67958d509fbf37c46cbde714b105b71bd68.exe
      MD5

      83e92758d97a8daac290affd8172123c

      SHA1

      10784ae6ff2685f10aa1f5d16c2981de7be8702a

      SHA256

      ba76db6dc7d7045db201d4a8dba17f17dc91d735490976fbd1ef9a0b1dcc38a7

      SHA512

      4de3a34df593c4cafeb2046e1b3dba6653f089739871ad0f36ae09387555fd8c6c5c09f4e42cc2db2bffd388fa8e5b0a2eac752af609467c725fb5ad675ce42d

      Download Submit

    • memory/796-125-0x0000012C512C0000-0x0000012C512E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/796-129-0x0000012C51EF0000-0x0000012C51F66000-memory.dmp

      Filesize

      472KB

      Download