Overview

overview

10

Static

static

10

a026273fc8...6d.exe

windows7_x64

10

a026273fc8...6d.exe

windows10_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a026273fc8699c1b3de9a3f7ed680fee3c2a1a008034698ae2595262635e8b6d.exe

  • Size

    156KB

  • MD5

    b00071dfbe25af09803ab7975fae1c27

  • SHA1

    e445e7c46dc025ac68be6af99ca7227f14517706

  • SHA256

    a026273fc8699c1b3de9a3f7ed680fee3c2a1a008034698ae2595262635e8b6d

  • SHA512

    126ca308efc8bc83fa91378601b157036bc2a5643514b461fcc32ea11e789c786806a2a8aa4e8c5a3e012fab0d039dc07ef814d735a416a5b021b18e1430636b

Score
10/10
neshtasodinokibi$2a$10$/1erf2dv7bu./sktnhnq0e2ct8xn8viae.byolkca/q0dbfs2lk/s35persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\805cdg9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 805cdg9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D6ADCD5D9F830756 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D6ADCD5D9F830756 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: gQF0bMOh5VG9Pw1Nlzq72+vX/VEBUfaIvMeSdOPsgeUHiGecwlWebeAXWnOUfo1V 6qsPuXEhw0/xYpuuYdWs7DMGfwbPhSllb5h7YOE9nPtNxRaaS2vGW2rE6WJncH45 LuP0y6osn5kGZoH7qr4CMS81stv6lXry4hqiwthOHUHkaJO966PApLKJWBaqBler zF07J6iNLDDBUJ06aUpUla9KbGsvvSYXa1TkTzTWKAyJrYNgigG8Nazx+hsY8S5y /LRlf0Nf8vblmmpXSWbX9CAOcSIn3lsSG9ck4gXVLRPGjicmJK80x5moJXmf0pkG o2NNoLb6MCuR+0126rsjr+pEafBaaKIcOV4/LphyQhc7rM/4djC3r7FW7s1sZ2Xe qhutQ1ViVbNrDRJ4MC2a26ajt3p733YX7D8V6jSdROcIhMg8/KD6CHZPR9+qXrsm SawgtQynfrk9wKw8GoJiqXmLXiWg1Ef7xn0iahoz7EpDs4E0bpKw3OaB5mggtLbg Dp+A0jt+oSSZ7GzMlXMMni2U9vC6Iqrm0IXVnVAc6p82J+zd4YPkj9M3/jXTqUPF LVfcAFFo65z1BrN+fY49sHrVsota/PRuhufoVUEVLb8EUmDMeLOOiWhHHYDcH99x urQy7N6kF3ig3BjJbal97X67Dd94p3YMEjZtS+P0+1jH2f5p831BIMUGG9kv1tZQ kZEOlDgiwyu45NlvxU7OaGblG0gvwHJjNDlK+D7rRwQm9simi6Gtm5cwpSAD2rWG XKZnUxpNBGMfx2nseqBv9QbH55mOdskEoPKqu6BaGqtzXpH8iLqQkOCyt4nt73Uq ZBHZ88us6H3pCgH+HLY3uSKR2ynfIYkLh3nwlR6iVfRy01p4npDQNLiR8+qvhUc6 p5ay5dsvsWbXgdoqYsKdK9HWCOaDOMGmspq+EbvjwYVyVeyIh/siJrAw3HqXp2m3 F58qSpmANhLtxxGJIiJy9Ejamgd3ip0U0DrbnMZWir2XzZGMbnXWAFS4bnWbM8w8 q7ZD+SPP4YZZwSCB1wWsWs8fLUhz70XFZ7yEWttZkqNnpmwvCPfvoPphvqXyY1Mb GECMtUvcmkbCKqynxAeZt7yR5rA7WHgpwRrgjGL07t59ybj89ecjsYOWg2gJVWdD Fr8WdXgmfH0rpmmoY8RrE7IPO8Zyfd+2zuxOpC/jAktyHDo82+9XZhuGypUwlllG ztcvMMu3ErHSCGMI+nAW2aE1DSUx/VSo7OoNR+0JQLO0mXh1HMWwmytWI/pTKe+L 88mW7wuQCvEHxet0va0= Extension name: 805cdg9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D6ADCD5D9F830756

http://decryptor.cc/D6ADCD5D9F830756

Extracted

Family

sodinokibi

Botnet

$2a$10$/1ERF2dV7BU./sKTNHNQ0e2ct8Xn8ViAe.ByOLkCA/Q0dbfS2Lk/S

Campaign

35

C2

deko4you.at

schmalhorst.de

abogadosadomicilio.es

theduke.de

coffreo.biz

projetlyonturin.fr

sairaku.net

4youbeautysalon.com

sevenadvertising.com

cirugiauretra.es

jacquin-maquettes.com

herbstfeststaefa.ch

1team.es

skanah.com

mylolis.com

forskolorna.org

jenniferandersonwriter.com

thaysa.com

jeanlouissibomana.com

slwgs.org
Attributes
  • net

    true

  • pid

    $2a$10$/1ERF2dV7BU./sKTNHNQ0e2ct8Xn8ViAe.ByOLkCA/Q0dbfS2Lk/S

  • prc

    mydesktopservice

    mysqld_opt

    outlook

    mysqld_nt

    visio

    thebat64

    sqbcoreservice

    thunderbird

    xfssvccon

    ocautoupds

    infopath

    mydesktopqos

    sqlservr

    mspub

    sqlagent

    encsvc

    excel

    sqlbrowser

    dbsnmp

    msftesql

    ocomm

    steam

    firefoxconfig

    sqlwriter

    oracle

    agntsvc

    thebat

    wordpad

    ocssd

    msaccess

    onenote

    dbeng50

    winword

    tbirdconfig

    synctime

    isqlplussvc

    mysqld

    powerpnt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    svc$

    veeam

    sql

    mepocs

    sophos

    backup

    memtas

    vss

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a026273fc8699c1b3de9a3f7ed680fee3c2a1a008034698ae2595262635e8b6d.exe
    "C:\Users\Admin\AppData\Local\Temp\a026273fc8699c1b3de9a3f7ed680fee3c2a1a008034698ae2595262635e8b6d.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a026273fc8699c1b3de9a3f7ed680fee3c2a1a008034698ae2595262635e8b6d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a026273fc8699c1b3de9a3f7ed680fee3c2a1a008034698ae2595262635e8b6d.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3582-490\a026273fc8699c1b3de9a3f7ed680fee3c2a1a008034698ae2595262635e8b6d.exe
    MD5

    4bda5d7d4ce3faba5f3d2197d16f02b0

    SHA1

    cf839231de7e7e5fbe8cfdee462733308ea67850

    SHA256

    b613526b093b8ff750f04b920b307dbd340b1787b006a9689184d22bd348df33

    SHA512

    9c94167554f5134c9ce066ab7891067767e1f4193757e45f3bbcdce5fc707b462a4ed1c06a31458edeac88f63caa77b318a2025ff4cbcb7934218d294ccf062b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\a026273fc8699c1b3de9a3f7ed680fee3c2a1a008034698ae2595262635e8b6d.exe
    MD5

    4bda5d7d4ce3faba5f3d2197d16f02b0

    SHA1

    cf839231de7e7e5fbe8cfdee462733308ea67850

    SHA256

    b613526b093b8ff750f04b920b307dbd340b1787b006a9689184d22bd348df33

    SHA512

    9c94167554f5134c9ce066ab7891067767e1f4193757e45f3bbcdce5fc707b462a4ed1c06a31458edeac88f63caa77b318a2025ff4cbcb7934218d294ccf062b

    Download Submit