Analysis

  • max time kernel
    146s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:03

General

  • Target

    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

  • Size

    207KB

  • MD5

    98563381bf9dff3b3e987e969b31ce33

  • SHA1

    bdf6b213a792dbcb74ccf4a3c86fa565f248505f

  • SHA256

    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde

  • SHA512

    5b50e1162acccc13b7e4af06dae5df1ef0b1a2c136e5105bd32188752da566a0434fb532321a5a02ba5e8beab2edbf7e9e13676994d1c2f8940eeb0f674977e9

Malware Config

Extracted

Path

C:\9pw2c178g-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9pw2c178g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05F2E39D6AC34796 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/05F2E39D6AC34796 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: MabqOkTqpyIteob8GjwqmDEjCfLVTgI1VcuBMrpEBXcvCu0Bttozg5/OoNfFUwz3 vCdJH/fc/t905s8wefjaHYDVYPNIm2kmHsIwyZaP1z3DI+cTAM+j8zjqMKHL3OvK ZGjAaDy20C3LjmNLW9KbmolOpSbmDhtoRbsIKiYO5NNwwx7KLp1x3eHfyDFHaTdJ T9XXwgi+e51vVovm9w7jww7uHxz/2UhvmnMoY4x2ZFNlWJqIasRo7TJMkTd8t7/8 8viaUCRP/aZkem8FHnAHo/xi13qe3GpcvaACEw+N3IzILaw2zj9eRLQ8/+4Yn/8e y6Npb4Q5xs+qJeg2GMeJsDUNtPKtEXsSznkq+GA279B4h+PxedGZfCCbZPWj0uC2 iT7h8gYvO1vJBJXTRBbZ8RJ18Dmpme5u6bCm6kALsMhOobNOOWXmohf40u+SQKNx Oq/jc7rs6m+C1x1SHaSmGUsBBRoc60L5Rfe+rb1d6Cmi/MrTnaxlqwU98MY2KTcm igCj2yyHGHMnGcu+DXh/2o3Ry3GxXHL8ukHaGBlp+1nrvgDG1LN/G6xdqh3VkY4P JXxadW+0rfKWvOilwpGfOxkBjDrZJI47J/5tK30Th3N7EylbGp8dg1XMSdto+B4Q qEvPVJwjTsbtxpYzYxFG0HMxsX2r0DH30KcR5Z5ht6Yydtvwgfz8o/X5bWbiO6Z5 q30+EBMRv9j2g9mRtX4mPOPiUTY3hv2/c2p3OC7+HkISWhYAz5jLXLbx/BJTR4FI sAiR+Jt4VlRI4QBZZNOdMY7hKFCPNIzpL7blRexfP4+XHl3JRAo1dRxE81+bv0sf P86yIg5ckI2lXoA7v8zQp0EFtT21+CURJGzWF3K6S69U9a5/Jh0DH8QZm8o93s0a uCmZmWUPZjWI9tGfe9gfUmU8dJty2ioFuyVK5ipU6Td1hdGgNsoWnI4nNwQMLdrc CQIexIF0yqv8YovmkKeZTpn8a3RhDf0i1awkzC0QcmPRQQvNQClEiK2mt2lEmjhX XmJWTkWurSrOCONCDZsxYyZtg8pi7yQBh8D0k8ABvSUHvdaAMl0tpvZY+Qom03zm 14yxw54lUtwDAHirGd25S2iLN14tkLy0e8YEV1FfxtTy5pUH9w5/LBohy8295wwf 8WWm3zOBejEXp4gHnR7YFQ7+wHO+pGPa16ceHYTmqzs6TnpFS8I3fQOZggFv0dhb A/0PvQAgXyEwoHcn8T+LBoaqkKG+DX6jodeKJtY2+39PQbvhXPIxkGEme17H8WFB 7ZAq/FrlrKJhPBhG5B6pzw4dqnT4bug7qDZjX5/q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05F2E39D6AC34796

http://decryptor.cc/05F2E39D6AC34796

Extracted

Family

sodinokibi

Botnet

$2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

Campaign

3253

C2

pier40forall.org

sandd.nl

thaysa.com

completeweddingkansas.com

gaiam.nl

dpo-as-a-service.com

aarvorg.com

personalenhancementcenter.com

cheminpsy.fr

pinkexcel.com

rimborsobancario.net

deepsouthclothingcompany.com

ligiercenter-sachsen.de

webhostingsrbija.rs

marcuswhitten.site

asteriag.com

edv-live.de

levdittliv.se

vickiegrayimages.com

iwr.nl

Attributes
  • net

    true

  • pid

    $2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

  • prc

    sql

    firefox

    visio

    mspub

    xfssvccon

    msaccess

    oracle

    ocautoupds

    tbirdconfig

    infopath

    ocssd

    excel

    thebat

    winword

    wordpad

    steam

    isqlplussvc

    dbeng50

    outlook

    thunderbird

    dbsnmp

    mydesktopqos

    mydesktopservice

    synctime

    sqbcoreservice

    ocomm

    onenote

    powerpnt

    agntsvc

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3253

  • svc

    memtas

    mepocs

    svc$

    veeam

    sophos

    sql

    vss

    backup

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:548
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1116
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1952

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Change Default File Association

    1
    T1042

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    4
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      MD5

      9efbbace685671cc174a24989e4dda08

      SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

      SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

      SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    • \Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      MD5

      9efbbace685671cc174a24989e4dda08

      SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

      SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

      SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

    • \Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      MD5

      9efbbace685671cc174a24989e4dda08

      SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

      SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

      SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

    • memory/548-59-0x000007FEFC321000-0x000007FEFC323000-memory.dmp
      Filesize

      8KB

    • memory/548-61-0x0000000002830000-0x0000000002832000-memory.dmp
      Filesize

      8KB

    • memory/548-62-0x0000000002832000-0x0000000002834000-memory.dmp
      Filesize

      8KB

    • memory/548-63-0x0000000002834000-0x0000000002837000-memory.dmp
      Filesize

      12KB

    • memory/548-60-0x000007FEF35B0000-0x000007FEF410D000-memory.dmp
      Filesize

      11.4MB

    • memory/548-64-0x000000001B760000-0x000000001BA5F000-memory.dmp
      Filesize

      3.0MB

    • memory/548-65-0x000000000283B000-0x000000000285A000-memory.dmp
      Filesize

      124KB

    • memory/1088-54-0x0000000076C61000-0x0000000076C63000-memory.dmp
      Filesize

      8KB