Overview

overview

10

Static

static

10

ba9592242e...e3.exe

windows7_x64

10

ba9592242e...e3.exe

windows10_x64

10

Analysis

  • max time kernel
    175s
  • max time network
    182s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba9592242e0e033b3c75bf06406b9ad8510123e950a139ac363de1812631cfe3.exe

  • Size

    204KB

  • MD5

    91443fabe2b4bb7764ec65b07abb5de6

  • SHA1

    7fecfae5088225aadd5a7c8bbdbb229410d20a6c

  • SHA256

    ba9592242e0e033b3c75bf06406b9ad8510123e950a139ac363de1812631cfe3

  • SHA512

    630775064e3865ddf50835f818dbfc45b900042674f4fdbe37fff7ac2fe46e92d59fef20cfeffa3916b919fe19a89b2317ed575636ef973bdb662dc7daa149d1

Score
10/10
neshtasodinokibi1936persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\13f1fd7rp-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 13f1fd7rp. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0E5B02AC0834A296 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/0E5B02AC0834A296 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 0QzwvOcAXLZpt2wZE7Gi6H8IqLl+jHa0VW+/rJo+uWyuoXTktDF5JGcw1Sumtgrf w0DPGALDgdIzz4ttbw4Crd6tr5AQEOLsay8jgdc5dTEt9SydkgB3g58If8LP/mPC NLWwd/69zTQ5qNdUrLlLirAZxUybaviAIHwZ64ZwKCM/WHgAF/32UgkeQwFTSfqv TRgI90tfnL4Oi1s/Au3gTnb8p8UZ7Ao+htA/4PpRws/rbrvtFkAhVVQfrj8ygzWm eA6G8Nj1uDED46Z415rgfK52JXTLPyV4i1hfKkc88HfR40BuUVvBrHwk9+szhbqx Tn+TbzZI3RaoRonU8IGyikFWd17s1SNd2/I6ccTgnjMx49JhTVXn/Kqj+nqwM2PT CzX84iReBvdzxGa2/Os9PvM3BLGByddgWSMcn1bhuwngnLiCsaW2cAVgfY0Z+ypP y+PN+27BxneRmJIeEDrGel3b2gd/WzL5mya+goMrg8P1LsfG9J7qQXPZiZ8Hz1vL TaGVK0gxTsWAhh5elbE6GYSMuELAIsHof2+zXtM3XBeZ5CfHrghj70b8xgssOMal njXjlvdpr6OgWuIliPbYKd81fqafA97WLPtr56xbDmy9YMJ6PoA3fVTBNpZKUiwo RVwu8gfyZmXvfC6T6hHw5mGsNthUFncV0DcoA5JxIHpmgGzgQCdlDAK7aSP8oxew GTUyX9P+RPdoNaphTgQ+CLOylmRiBlewip5A0KbRSIiWv8BqPlrEycbRUaFJ3tnL y1FCV+PmKb2xTqlH+eC7HpFTtOKvaacXRNWcLX02bQ6W9B6DsYNEf6IW4u9FWtkJ RgbjZpnBeNMPHxww5ndUcKLL7onkfVmhL+DlRw3oAxnkd79f/SXMUJYwNZKU6EJ2 4b5Q9XsX83hNqGSEE5YAWHkoZEApec75Z+ohPFDiwDFj74QQIJYAyeq8pZS4S2uW d++WwO+AXq8ZO2jiBG9h/hEXEyO1nHlSWI7N4m1awmeZt2MrE960lmhAz4tamBPk xiXsHUYZHYpUdO1BMN2eFETNfkxgFPRgRqk2RnFi6pk6ZVWywK23GQK0++fsVA8g gaw9E4V75ughJmWH15eYyUQv2PVxZPgudSlKeb2GQzjyLxzYwUv1/yw0YdHvrA== Extension name: 13f1fd7rp ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0E5B02AC0834A296

http://decryptor.top/0E5B02AC0834A296

Extracted

Family

sodinokibi

Botnet

19

Campaign

36

C2

bcabattoirs.org

baita.ac

prometeyagro.com.ua

nepal-pictures.com

juergenblaetz.de

3daywebs.com

penumbuhrambutkeiskei.com

primemarineengineering.com

slideevents.be

holocine.de

circlecitydj.com

basindentistry.com

kemtron.fr

deziplan.ru

diverfiestas.com.es

craftron.com

mariannelemenestrel.com

ufovidmag.com

eafx.pro

humanviruses.org
Attributes
  • net

    true

  • pid

    19

  • prc

    steam

    agntsvc

    synctime

    oracle

    isqlplussvc

    dbsnmp

    outlook

    infopath

    excel

    xfssvccon

    ocautoupds

    firefoxconfig

    onenote

    mydesktopqos

    mysqld_nt

    wordpad

    ocssd

    ocomm

    sqlwriter

    thebat

    winword

    tbirdconfig

    thebat64

    mysqld_opt

    sqlservr

    mysqld

    sqbcoreservice

    mydesktopservice

    sqlagent

    visio

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    36

  • svc

    backup

    memtas

    sophos

    veeam

    mepocs

    vss

    sql

    svc$

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba9592242e0e033b3c75bf06406b9ad8510123e950a139ac363de1812631cfe3.exe
    "C:\Users\Admin\AppData\Local\Temp\ba9592242e0e033b3c75bf06406b9ad8510123e950a139ac363de1812631cfe3.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\AppData\Local\Temp\3582-490\ba9592242e0e033b3c75bf06406b9ad8510123e950a139ac363de1812631cfe3.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\ba9592242e0e033b3c75bf06406b9ad8510123e950a139ac363de1812631cfe3.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2924
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3388
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\ba9592242e0e033b3c75bf06406b9ad8510123e950a139ac363de1812631cfe3.exe
      MD5

      576e872bba0796398f654d327225dc4b

      SHA1

      7a50311e51b5a04e23f66a2e30891fb10c46eb66

      SHA256

      1fb842e87f23e37ab39e201a024845c323c3d239331768db694dca96ed53d8c7

      SHA512

      6bc556d8eb36e1e23b5b4f180897513a1578e466019bb3dc43007f37b194705ed9176edc8b1ceb14222bf3bc169c1b172c9dbfd2e1968b94a4c77a8bd14bea89

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3582-490\ba9592242e0e033b3c75bf06406b9ad8510123e950a139ac363de1812631cfe3.exe
      MD5

      576e872bba0796398f654d327225dc4b

      SHA1

      7a50311e51b5a04e23f66a2e30891fb10c46eb66

      SHA256

      1fb842e87f23e37ab39e201a024845c323c3d239331768db694dca96ed53d8c7

      SHA512

      6bc556d8eb36e1e23b5b4f180897513a1578e466019bb3dc43007f37b194705ed9176edc8b1ceb14222bf3bc169c1b172c9dbfd2e1968b94a4c77a8bd14bea89

      Download Submit

    • memory/2924-123-0x00000249C7620000-0x00000249C7642000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2924-128-0x00000249DFC40000-0x00000249DFC42000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2924-129-0x00000249DFC43000-0x00000249DFC45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2924-130-0x00000249E1DA0000-0x00000249E1E16000-memory.dmp

      Filesize

      472KB

      Download