Overview

overview

10

Static

static

10

cb6db23d41...de.exe

windows7_x64

10

cb6db23d41...de.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

  • Size

    207KB

  • MD5

    98563381bf9dff3b3e987e969b31ce33

  • SHA1

    bdf6b213a792dbcb74ccf4a3c86fa565f248505f

  • SHA256

    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde

  • SHA512

    5b50e1162acccc13b7e4af06dae5df1ef0b1a2c136e5105bd32188752da566a0434fb532321a5a02ba5e8beab2edbf7e9e13676994d1c2f8940eeb0f674977e9

Score
10/10
neshtasodinokibi$2a$10$bypwfv5f.unsw7rpjyqd/u290witdfou8ocgln3g.nu1ztwwauidm3253persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\9pw2c178g-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9pw2c178g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05F2E39D6AC34796 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/05F2E39D6AC34796 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: MabqOkTqpyIteob8GjwqmDEjCfLVTgI1VcuBMrpEBXcvCu0Bttozg5/OoNfFUwz3 vCdJH/fc/t905s8wefjaHYDVYPNIm2kmHsIwyZaP1z3DI+cTAM+j8zjqMKHL3OvK ZGjAaDy20C3LjmNLW9KbmolOpSbmDhtoRbsIKiYO5NNwwx7KLp1x3eHfyDFHaTdJ T9XXwgi+e51vVovm9w7jww7uHxz/2UhvmnMoY4x2ZFNlWJqIasRo7TJMkTd8t7/8 8viaUCRP/aZkem8FHnAHo/xi13qe3GpcvaACEw+N3IzILaw2zj9eRLQ8/+4Yn/8e y6Npb4Q5xs+qJeg2GMeJsDUNtPKtEXsSznkq+GA279B4h+PxedGZfCCbZPWj0uC2 iT7h8gYvO1vJBJXTRBbZ8RJ18Dmpme5u6bCm6kALsMhOobNOOWXmohf40u+SQKNx Oq/jc7rs6m+C1x1SHaSmGUsBBRoc60L5Rfe+rb1d6Cmi/MrTnaxlqwU98MY2KTcm igCj2yyHGHMnGcu+DXh/2o3Ry3GxXHL8ukHaGBlp+1nrvgDG1LN/G6xdqh3VkY4P JXxadW+0rfKWvOilwpGfOxkBjDrZJI47J/5tK30Th3N7EylbGp8dg1XMSdto+B4Q qEvPVJwjTsbtxpYzYxFG0HMxsX2r0DH30KcR5Z5ht6Yydtvwgfz8o/X5bWbiO6Z5 q30+EBMRv9j2g9mRtX4mPOPiUTY3hv2/c2p3OC7+HkISWhYAz5jLXLbx/BJTR4FI sAiR+Jt4VlRI4QBZZNOdMY7hKFCPNIzpL7blRexfP4+XHl3JRAo1dRxE81+bv0sf P86yIg5ckI2lXoA7v8zQp0EFtT21+CURJGzWF3K6S69U9a5/Jh0DH8QZm8o93s0a uCmZmWUPZjWI9tGfe9gfUmU8dJty2ioFuyVK5ipU6Td1hdGgNsoWnI4nNwQMLdrc CQIexIF0yqv8YovmkKeZTpn8a3RhDf0i1awkzC0QcmPRQQvNQClEiK2mt2lEmjhX XmJWTkWurSrOCONCDZsxYyZtg8pi7yQBh8D0k8ABvSUHvdaAMl0tpvZY+Qom03zm 14yxw54lUtwDAHirGd25S2iLN14tkLy0e8YEV1FfxtTy5pUH9w5/LBohy8295wwf 8WWm3zOBejEXp4gHnR7YFQ7+wHO+pGPa16ceHYTmqzs6TnpFS8I3fQOZggFv0dhb A/0PvQAgXyEwoHcn8T+LBoaqkKG+DX6jodeKJtY2+39PQbvhXPIxkGEme17H8WFB 7ZAq/FrlrKJhPBhG5B6pzw4dqnT4bug7qDZjX5/q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05F2E39D6AC34796

http://decryptor.cc/05F2E39D6AC34796

Extracted

Family

sodinokibi

Botnet

$2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

Campaign

3253

C2

pier40forall.org

sandd.nl

thaysa.com

completeweddingkansas.com

gaiam.nl

dpo-as-a-service.com

aarvorg.com

personalenhancementcenter.com

cheminpsy.fr

pinkexcel.com

rimborsobancario.net

deepsouthclothingcompany.com

ligiercenter-sachsen.de

webhostingsrbija.rs

marcuswhitten.site

asteriag.com

edv-live.de

levdittliv.se

vickiegrayimages.com

iwr.nl
Attributes
  • net

    true

  • pid

    $2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

  • prc

    sql

    firefox

    visio

    mspub

    xfssvccon

    msaccess

    oracle

    ocautoupds

    tbirdconfig

    infopath

    ocssd

    excel

    thebat

    winword

    wordpad

    steam

    isqlplussvc

    dbeng50

    outlook

    thunderbird

    dbsnmp

    mydesktopqos

    mydesktopservice

    synctime

    sqbcoreservice

    ocomm

    onenote

    powerpnt

    agntsvc

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3253

  • svc

    memtas

    mepocs

    svc$

    veeam

    sophos

    sql

    vss

    backup

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:548
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1116
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1952

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      MD5

      9efbbace685671cc174a24989e4dda08

      SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

      SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

      SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      MD5

      9efbbace685671cc174a24989e4dda08

      SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

      SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

      SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      MD5

      9efbbace685671cc174a24989e4dda08

      SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

      SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

      SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

      Download Submit

    • memory/548-59-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

      Filesize

      8KB

      Download

    • memory/548-61-0x0000000002830000-0x0000000002832000-memory.dmp

      Filesize

      8KB

      Download

    • memory/548-62-0x0000000002832000-0x0000000002834000-memory.dmp

      Filesize

      8KB

      Download

    • memory/548-63-0x0000000002834000-0x0000000002837000-memory.dmp

      Filesize

      12KB

      Download

    • memory/548-60-0x000007FEF35B0000-0x000007FEF410D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/548-64-0x000000001B760000-0x000000001BA5F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/548-65-0x000000000283B000-0x000000000285A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1088-54-0x0000000076C61000-0x0000000076C63000-memory.dmp

      Filesize

      8KB

      Download