Overview

overview

10

Static

static

10

a207ef339a...0d.exe

windows7_x64

10

a207ef339a...0d.exe

windows10_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d.exe

  • Size

    204KB

  • MD5

    355e7899e9b1c032865ce0e2b98a257a

  • SHA1

    cb96abf6a6172feb9e95fb08981a44332cd06ea5

  • SHA256

    a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d

  • SHA512

    18bb8f91153fcac63881e189f0e40301f49b21018b66b6b560e80fd8b843c27610bf59bfbfb804cea98b07a32f4bc7cf31c562589307ba6f938531addc9e9d21

Score
10/10
neshtasodinokibi1935persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\92u020en-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 92u020en. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/83C42B53259461A1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/83C42B53259461A1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ZS9DUinY+t0CLkQjxueFZSSeRkgRCnkasgO5QeKmKow3lVOc8nRzPSLRMpNXPbsG 4RR36dXfW6O57J8OTXIrRoaZYdIggumBP9SL/QjNGwLLtALl5qi6mR6c1HCEvN1f P+NlXJuNCOShXlOnW7K1xc92r+O4m5xvq8d7Xkb7GlwUJdd5OqwwZakpcEDs07Ie S7VAljqPICBfN3ceGWiRYaxoVQzvDWLvVztFS5grV2Ic36Wnbr1GMRJrG3uCYkd7 V+FApIKc7EL8jag8hysg77q75X29fh3kdmpAHsW4v+BfCq8A3ro439jHLmWDH3gH 2BKD0RL02QCXG7RZf5/wrOL16nqcHD3KW2tzDLYvObgPI3jYOIND8ncCNtuCwqhw CleSesId4lQxslMcon4CljKeLTy9fn5EIjWLqUnW8OyRldO3vsvx+1vyYWIQs3iP IjJgRujF/M/LVfw+3wkRy0COi2NHPz9cZeBvp1SChVsY49j8wc1qtIogJhRgbTSH qj75Nl3618yR2I5HK8+16C3/bHrvogiaJVoss1o0tfe+fktSMrLjCA8UR5+EM8bw s8ua8rDsrqoqNj+UpjkDZ/O8tHHMASuDkDlRrYTuq4OUKSUDQmRZCCamksVFGsUT XknTLN+Gw2A1FUXjY9SFrejyFg7CGhizp8XrdCSFDDeZnllTWvkdtyLHUle8OfMv EHSyJ6bdusqNBdOG8E0ytMBdZ/f+vyEy4V66pRzqIGsTIWdjen0gclg3a43Jc7bm Pj9jEvMERtpsmbO0qe1nqQcLyntpA0TXh66OyX/xIKawq8N7Q/JlqcnpZTzCjTw2 0ffqo3ytEygdZTbBbHat2WHqJwcAv0wWaw/aDN+9sLzjORtaiODTIvy9qzNejUpU ya+28wP+3qYc3KcuXO/SmH27GvKyrjYW3I0/L1ShrEMiVj8DBNUZkBUmtsqz6rKJ NBuoJwaIdS+YQ7nn0/8CIUHHmR5P0kj9g3sC7E46KmFGVD6SWZWV5UiTX31Qp5i2 VtpFeCYmhCejyf1THJd63r/hwyKXhp7/CoqbWFqwQ5mqOKgOgKR4YmL6Vfczmx+k uCLyjN885FXXoIp8N8pFfpGRL6KEbchf9yGewsIVD9/zU6jtW03LpUubXTI= Extension name: 92u020en ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/83C42B53259461A1

http://decryptor.top/83C42B53259461A1

Extracted

Family

sodinokibi

Botnet

19

Campaign

35

C2

latableacrepes-meaux.fr

deziplan.ru

citydogslife.com

karmeliterviertel.com

mundo-pieces-auto.fr

sveneulberg.de

avisioninthedesert.com

pureelements.nl

aidanpublishing.co.uk

gavelmasters.com

biblica.com

baita.ac

innovationgames-brabant.nl

production-stills.co.uk

xn--ziinoapte-6ld.ro

reygroup.pt

apogeeconseils.fr

kristianboennelykke.dk

andrealuchesi.it

efficiencyconsulting.es
Attributes
  • net

    true

  • pid

    19

  • prc

    winword

    encsvc

    steam

    tbirdconfig

    oracle

    sqbcoreservice

    mydesktopservice

    mspub

    ocautoupds

    wordpad

    ocssd

    firefoxconfig

    mysqld

    thebat

    excel

    isqlplussvc

    thunderbird

    mysqld_opt

    outlook

    visio

    onenote

    synctime

    agntsvc

    thebat64

    sqlservr

    dbsnmp

    msftesql

    mysqld_nt

    ocomm

    infopath

    sqlagent

    sqlbrowser

    powerpnt

    dbeng50

    mydesktopqos

    msaccess

    xfssvccon

    sqlwriter

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    vss

    veeam

    svc$

    memtas

    backup

    sql

    sophos

    mepocs

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d.exe
    "C:\Users\Admin\AppData\Local\Temp\a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:364
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3976
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1168

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d.exe
      MD5

      1eac0f4ac60cc30b6b448dc102fdf825

      SHA1

      149a8f379faaca8c79b00256584a9c9aa6bf0639

      SHA256

      26df34c6b83ece197977c432fbb033da55d117d3018df939adf5b0927fcec83a

      SHA512

      6f9e3b21cf74670a7fadcffea5aa55401014cb65d93949b42305b1142d67d58d01f35d2d5769730bb07437c5e8d36176df594192d5ea518c3e7519c770ee3aeb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a207ef339a7b12a825bd9f5fc6349e6c1ec130dbcb48d663d0d1fc91a534aa0d.exe
      MD5

      1eac0f4ac60cc30b6b448dc102fdf825

      SHA1

      149a8f379faaca8c79b00256584a9c9aa6bf0639

      SHA256

      26df34c6b83ece197977c432fbb033da55d117d3018df939adf5b0927fcec83a

      SHA512

      6f9e3b21cf74670a7fadcffea5aa55401014cb65d93949b42305b1142d67d58d01f35d2d5769730bb07437c5e8d36176df594192d5ea518c3e7519c770ee3aeb

      Download Submit
    • memory/364-125-0x000001E653FC0000-0x000001E653FE2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/364-128-0x000001E66CBF0000-0x000001E66CC66000-memory.dmp
      Filesize

      472KB

      Download
    • memory/364-142-0x000001E654020000-0x000001E66C0E0000-memory.dmp
      Filesize

      384.8MB

      Download