Analysis

  • max time kernel
    139s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:26

General

  • Target

    a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe

  • Size

    158KB

  • MD5

    3aef3009d06b0f41ac5ef79719de858b

  • SHA1

    a90e2f70158644795a4ed571dff27be032855a7a

  • SHA256

    a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30

  • SHA512

    08dd0e50becdb2f55270864f7591971b809f82c5f70dff3d6ef78e5d4282ef9f42df190acf476a63f94d40d1e413f607cbd474e741030462a54ea7a6e939f305

Malware Config

Extracted

Path

C:\f3zi38348-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension f3zi38348. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4F2B286CBA81C23 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B4F2B286CBA81C23 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eWT/l9+oka1gPicSCIU0FXoiiKQQQX89jkG6GSlyTjBI43vfj+iozrBTOCwA2uNL knjKInH0JyxK1HiktXdIZTi9K2/Ovl2aUi2dH2yMe97dheG9J6hYWPvJtiHsu6j2 DGKPoyP+sV90ENQH8DbcsjHIRf0yUjepNq5MieB9Xjw/o5Jy/W+lU4by4M73Ze2n pgdonyy+ZDCh8dyczC9rRCL6Ph6i1L0l4yQLmqX1qe7vzhb9Tuqlhv8VypetTQq4 9gtFdfjHTAwT4rf9H6wCIBjiX30l5CUdFaHkvMDLBOQfiUnRIiOuwE2OSd6cjqAa jcm7/zqEeF/+FABO05lQTYLL9ZT9I4gCqcUqFkXWpMMm0bx+jEh6zK9oCkwmQIBw aVyrTbdAUFXb8TqopwImjOQCp0GESw+8V12xilcCSEjL84wZkkjM/FDwR+ibkfUP Pd0oC6/puGRH7WtY3XtXeWoYKJo3BU5N8MEG022RRDRcV7XkmpbO2rpqvn5a3Wb1 HEyQHzPAVhLrx6upwF681olmd1x7qBC1GXixOvnUkmetKyLtODs/YdYPSZ0vyNTj yk+o1mKjRm5QagPrUnfKpBSDgw7ox161/jTNDfCZ85z9vSGzToX308TzWUVif0zB LnrCRXK+j2DsVssPztqxSG5A4AGypLhplD6AjRz7yxEi3fBGNj3zNXtLuc7On3Ku UnomvlDwEygLJAMD2J2N9IGI7s/YGYMSBRcR7dXHQv+S4VhiPsecNiFJB3OlzxMh j21jaYXvBvcRBn7kVYfTQxMHznDUb0h5kx247/R2dsW/0oJ0dUtFrnkrM80dr6W8 yNT7K8OzP9KwK+HayI0BDaGRkfHwF295wS55LxgS4n1n7l/VHSXCtv2UMNATyGAT 84zio5tgtLM+b6Hysz4/YBOR+038alVFPGB7sESweumdX9w8Dugs5JQspZi3fpAs nmwesaj7jE2rRfBMpxdIa2EjVcXqWpYDe0EjkGKu3ErMSMYIUM7WD0HM+jCCNXAT ebzHLqfbQLhJAAvWReckPErXQbAHRsdpwXjkS2rSZJzL+q7e3fNmnJqc83fq8/sN rJONt2IUi2kCrhZ///XpfLDxWJyBdx5mFrEh8F2rEaVT95gI/bGhDdEHxC9u9Nz+ 6R6ySuh+oFPc5CbkmCWJpNswh2HNOctn8RRyasgFGpi+dlIyHOmHW7sTUVI6HYX6 Kp9GzTg2GP+M0FfwuFar/o7+qTb6Fa7atREZP458OKXQD7mwqnuHKldNP2ey4E2Z pHTLN8JSaJhHCe5DCFnEcw1GZXxG6LQF/M+bVHZp ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4F2B286CBA81C23

http://decryptor.cc/B4F2B286CBA81C23

Extracted

Family

sodinokibi

Botnet

$2a$10$jic4PWjsOW3XAFg6jrtWU.4s2YBeZxLBwNhXoxP2z1e6MThWCdpHu

Campaign

5223

C2

urmasiimariiuniri.ro

thedresserie.com

hotelsolbh.com.br

theletter.company

directwindowco.com

hugoversichert.de

ino-professional.ru

bogdanpeptine.ro

d2marketing.co.uk

boisehosting.net

girlillamarketing.com

romeguidedvisit.com

maineemploymentlawyerblog.com

sachnendoc.com

pomodori-pizzeria.de

vesinhnha.com.vn

restaurantesszimmer.de

toreria.es

homesdollar.com

caribdoctor.org

Attributes
  • net

    true

  • pid

    $2a$10$jic4PWjsOW3XAFg6jrtWU.4s2YBeZxLBwNhXoxP2z1e6MThWCdpHu

  • prc

    oracle

    mspub

    outlook

    sql

    tbirdconfig

    msaccess

    powerpnt

    sqbcoreservice

    mydesktopservice

    thebat

    visio

    dbeng50

    ocomm

    ocautoupds

    isqlplussvc

    encsvc

    mydesktopqos

    thunderbird

    xfssvccon

    dbsnmp

    winword

    synctime

    infopath

    wordpad

    excel

    onenote

    agntsvc

    ocssd

    steam

    firefox

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    5223

  • svc

    backup

    sophos

    memtas

    veeam

    vss

    svc$

    sql

    mepocs

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe
    "C:\Users\Admin\AppData\Local\Temp\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:368
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1032
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1192

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe

      MD5

      a9f731de650ee1ba0ef91e1386ac2dad

      SHA1

      60f6ad3ec25581bb53dac56634cff820e0d6fd81

      SHA256

      5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4

      SHA512

      248f4e1297ab1e00fda37dd546a7f173ef5d0a0d2fd656adba97f8f07dfa0e1e27d9a7cc4cb55f3b451f7e5ce1ff7cf569cd3da42c91d1ed1bc16a6e93c9c2d0

    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    • \Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe

      MD5

      a9f731de650ee1ba0ef91e1386ac2dad

      SHA1

      60f6ad3ec25581bb53dac56634cff820e0d6fd81

      SHA256

      5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4

      SHA512

      248f4e1297ab1e00fda37dd546a7f173ef5d0a0d2fd656adba97f8f07dfa0e1e27d9a7cc4cb55f3b451f7e5ce1ff7cf569cd3da42c91d1ed1bc16a6e93c9c2d0

    • \Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe

      MD5

      a9f731de650ee1ba0ef91e1386ac2dad

      SHA1

      60f6ad3ec25581bb53dac56634cff820e0d6fd81

      SHA256

      5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4

      SHA512

      248f4e1297ab1e00fda37dd546a7f173ef5d0a0d2fd656adba97f8f07dfa0e1e27d9a7cc4cb55f3b451f7e5ce1ff7cf569cd3da42c91d1ed1bc16a6e93c9c2d0

    • memory/1564-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

      Filesize

      8KB