Analysis

  • max time kernel
    171s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:04

General

  • Target

    c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe

  • Size

    247KB

  • MD5

    04d97184729b092f1d795778caec8927

  • SHA1

    ee0a24536a64ed0803502501d6d6a1e336213063

  • SHA256

    c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251

  • SHA512

    c7cc2ec811f73c8b844281d689bfad03c89df321478e2cf2b4c3f0b46371bebf430349f1bfd8572d2588681189344b5b90e8a8b168ac3ac7c0d84521db1b23ec

Malware Config

Extracted

Path

C:\t0qrpg42-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension t0qrpg42. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1020560E2095C69E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/1020560E2095C69E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: vapYXqEwOSZa0z6oHPUwDpUuwVatYAvu4JA/ueYOuHX2RusVEBwQpiVeixFR1RzE CWRb19paBHCxNjZ2tYIryn0nmKd9zYq5wT/dpQR6Jjl373fgeXWGnTzlNmVSlBaO uir3bFUR+QK+EWCmCSCrq0PKyabz5O0oBtkqyA+yz4qc7dWrsK6ODaloLL3rBxEE lDcPuicx5Jm/cbyFWye2bFEyc1pGtX58FIaOfbkZRlZQV+JOELZ0PMi3yNBHVWBd op4zHXjOqb/jjalbBhDQrTdxWG9sDaVfDbo6o5KxQBT0+WZ4jLX509THPFNx23Nb g4ZIagVpjIb0efQ3E5KRGA1YZjftamUJ5+Jmoj2bUugwb1IFcDyFX4WJgXpMMa6C McZHI3u2kov+VwJg1mIMV6Ji7TyAI90MAWxgf3oN/hox+8ZzwOkUJKvmZbIgSPN7 Fhv06R+EaYuP2T6NEcMJEMiuMXct8oqKVBqUub3y8fKl5ITW+avicZE+JgVORC1v 08LfRMpIhtDg+ytqT8KCF1l+3oMN09o5KIUCWJ2QZ/KSDW2i5unnHpHUprja9ZJL WyPPrAPQHdARg2aOxroOSY+JazIT4HSQnN1prBTjhD6GLWX29CRvdct8dZLbK1zu cK+3+ffKhzVVHt/rJAqIOOIK0pth5XRFb8MB90/NcMcGxklUh//NZIXJ7kOl+VGn 5Ee6KC6R8P1pwGpP5TC7NUfJLvHnC17dgl1ddVgtsXD5t8LfjpssuQ8amrYw0zx4 6EnATpp8Gx+XGIU84mFOyzMzo8WRiRLJHE2Ho43Z/e3akGvc2kLHBup8hGhHFA6q OlUbxjaFhYdMkWP4QVHiDT1JtScS1UEdnR24HnAfm2dAZMd8w0OHLBNtEs+J5o08 7D5YNAgIuqRDTd0nEHiHG9yePcc8ZGmQuGNmGKOBNcbDAsoTLtPzAC4mNKFU2tpu NIjE2Msum1EqYz1d+qF0XYa3OCiKlS3kfuQZI92nPQ9+gMuLRU/yPbr5HZuGIDRf 8BhAjvuJEtABxiWzplbMRw2hSbpK4E7tlGep2TWJnDrnTPU7C//68w3PR7nJkiKU i/1uXagYxefQtb5WBgPdnCWyTNhpSHBljDlbXNEq780Goa/rWReGR5EkBuD1XorG nbXmUbLIG/JBms6OxdKxcug+i0HcQnG/HjjyzNTJyTVWNQJUdP8W7SYYGOYAOEIk 3b/0Co9UFpfUlRUeS+LDhyjJA5LmLSGWi2A6uVGwIZ6QoKTBuGH4BwvF1gqZTi1D 6QiQILFinhe+cusKNjH6cuPPbfs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1020560E2095C69E

http://decryptor.cc/1020560E2095C69E

Extracted

Family

sodinokibi

Botnet

$2a$10$ZGqIY89Jar0DY9/9Hnp6Ku0nKqXP6FZH6TuF1uc0S2.QEFDPiJ9LS

Campaign

2866

C2

spargel-kochen.de

bloggyboulga.net

huehnerauge-entfernen.de

ravensnesthomegoods.com

highlinesouthasc.com

delawarecorporatelaw.com

campus2day.de

gopackapp.com

lubetkinmediacompanies.com

leda-ukraine.com.ua

kaminscy.com

ecoledansemulhouse.fr

oslomf.no

southeasternacademyofprosthodontics.org

kuntokeskusrok.fi

sloverse.com

tuuliautio.fi

coffreo.biz

testcoreprohealthuk.com

ulyssemarketing.com

Attributes
  • net

    true

  • pid

    $2a$10$ZGqIY89Jar0DY9/9Hnp6Ku0nKqXP6FZH6TuF1uc0S2.QEFDPiJ9LS

  • prc

    isqlplussvc

    mydesktopqos

    ocautoupds

    thebat

    dbeng50

    firefox

    tbirdconfig

    thunderbird

    synctime

    powerpnt

    winword

    mspub

    steam

    sqbcoreservice

    encsvc

    onenote

    oracle

    visio

    dbsnmp

    agntsvc

    sql

    infopath

    xfssvccon

    msaccess

    ocssd

    wordpad

    excel

    mydesktopservice

    outlook

    ocomm

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2866

  • svc

    memtas

    mepocs

    svc$

    vss

    backup

    sql

    veeam

    sophos

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 63 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe
    "C:\Users\Admin\AppData\Local\Temp\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3600
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2972
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1300
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2984 -s 3808
      1⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3512

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe

      MD5

      c344cb3365d1c252ec9bca116df262c2

      SHA1

      feb6d0bbacdb99b882d563f27b78c9723f2aac49

      SHA256

      5058c2ecac89eb616b4478e9a1f61522ef906adc2fd18206ee6ab445be3b3ff3

      SHA512

      ce5b7ab0ded562ca52f6f5a281f0d46b88f76fd39385b52db7bc14e244434143215da8cdf0323f6de4a34b024f7bffc4734353da89fef5193f9ab454ede749be

    • C:\Users\Admin\AppData\Local\Temp\3582-490\c9d1ef33ca6a91b13f43b764beb0fe55893d0345e6a49deefec01c8b9b9c1251.exe

      MD5

      c344cb3365d1c252ec9bca116df262c2

      SHA1

      feb6d0bbacdb99b882d563f27b78c9723f2aac49

      SHA256

      5058c2ecac89eb616b4478e9a1f61522ef906adc2fd18206ee6ab445be3b3ff3

      SHA512

      ce5b7ab0ded562ca52f6f5a281f0d46b88f76fd39385b52db7bc14e244434143215da8cdf0323f6de4a34b024f7bffc4734353da89fef5193f9ab454ede749be

    • \??\c:\odt\office2016setup.exe

      MD5

      a91b655b3fcf1b88e61a5da392b6d556

      SHA1

      4c96cf82ff51329427279ec6656d3909e01ea47c

      SHA256

      8e6e2b27ea4ac1e79e1f2f3bf3c1c9e8b0cee8697a24f06a43cf8bae5dc4fb31

      SHA512

      102ab08d1b124e9ade0976d27eb84e230428f1d4b902a2771621294e396de8df447a5ae889d11791eb77565edc81451ab4b7ec001c51b7d818d99477bfac5d22

    • memory/3600-121-0x000001B3F24C0000-0x000001B3F24E2000-memory.dmp

      Filesize

      136KB

    • memory/3600-124-0x000001B3F2090000-0x000001B3F21C2000-memory.dmp

      Filesize

      1.2MB

    • memory/3600-125-0x000001B3F2090000-0x000001B3F21C2000-memory.dmp

      Filesize

      1.2MB

    • memory/3600-126-0x000001B3F2670000-0x000001B3F26E6000-memory.dmp

      Filesize

      472KB