Analysis

  • max time kernel
    166s
  • max time network
    164s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:26

General

  • Target

    a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe

  • Size

    158KB

  • MD5

    3aef3009d06b0f41ac5ef79719de858b

  • SHA1

    a90e2f70158644795a4ed571dff27be032855a7a

  • SHA256

    a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30

  • SHA512

    08dd0e50becdb2f55270864f7591971b809f82c5f70dff3d6ef78e5d4282ef9f42df190acf476a63f94d40d1e413f607cbd474e741030462a54ea7a6e939f305

Malware Config

Extracted

Path

C:\mtq45-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension mtq45. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F4E1A6639DB05278 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/F4E1A6639DB05278 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: uuoXHCT37efSs80FfW5CKgfU4kjhwIm+80nkMOnorPMnfT/OF4U9k3+ZEBNtETSD j5xYEj3x97CCNK8ty+8UKvNGy8a94oFjj4UY3ZU/o7cTZM1zbrk0W5iJ2LmUQuvj SnIzH+SnsaU+5d1f852FDVjEGV8iHExQgpFarRJNunbYbbKZGoxDlOc4tVDmaF1r eFELE+Lhdsb7r+Dso2/OpTiMhKQRRbTDmep+54ss0xW1g1Q/jQHIM3kcRjvepirR D8/7kjar9X1aXgXH6gmsiWnKEQidQfTbtHpX36YWW0I74ArvoSNtCbkvzq0+UT4B 6Poa08etPP63Tui9nmCTFyr/1rNYi2A/nN9WYwmzZsRRw2oxso4hv25x4BaUWyg4 Gih2526qt4x/TjMeDED7tF1oU5ATV22k+G7lBiAJl7eTjCulN6P/7h9o4GLOxGmw /qbozjVb4fR7nWjGcZZLaoGPD13nO82fn21/6S/vamwSRfEiqdYIKen/vVHIdsDg xGqG1/ReQuu+pUt0VGYeDTk9RI22WhHhCqlUObBEC9ZPPva4peJEF7vPEE/rIA6n ie+5nP1JO2ztMliCY03m5+cT0aPh1XT/J+cwobqhJ9EJVFY9gd/do5ztjwx9sI+P P7NFpwGNhkXF1n/9jGxMNX1t2NL9IpY6x5sdIaHFhhIpKCLjh+Rd6D159KdKfvbC b2E6c/OQT5OGIEkC+iJQwFdXuddOlBIruNy8DYJCBgNsPpSk8QN7f8YTLeYUeJTk 7hl4PAXeBR2AY9w+WxUQMmS419RMomPG8c81fQoxpuEr+czUAReHVa9gnFBNR3SV 25Vj1363tCYTetcus+yT9UQAAqMFskxl5zPRq95x7BnKUA57QB2luoS0R2/A06qH oogshUcHyQawyz6xEnOxMSc+WSBq9wjpxJ4jgrrHeMJnNyeKeBoMsZTxTInqa+4o MmRiC/Lc807xUh0UK45iLka6Cmh/g1/SgimmLc+OmqTpb4TcleTIClr+hMfH4h58 e5IPbnbK4AYXXJgWLUHt0yWC+Oai75QIpW9bfRLldH0ucgptc8+1mylyUjqtN++A 9A9eGvllmwHyWIXcQ9ErTD/i6qWWeBXfmB+TuJZ4FUURaMiTSLCMcSjDFYwKCBGy NTtNoTMTYa7byryfZMV3jyrLIKAIncvjzgKZXxebGgHen57T2Q38sDDuZtAagsWB ZxzIO4hDMuODNi7SmnW2Wn3yFPRl3MEbdh1kXqx0ujCK7qDM6dL5FjlG2jmHRCRW 8DSmpwOvToEgw2rTnxs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F4E1A6639DB05278

http://decryptor.cc/F4E1A6639DB05278

Extracted

Family

sodinokibi

Botnet

$2a$10$jic4PWjsOW3XAFg6jrtWU.4s2YBeZxLBwNhXoxP2z1e6MThWCdpHu

Campaign

5223

C2

urmasiimariiuniri.ro

thedresserie.com

hotelsolbh.com.br

theletter.company

directwindowco.com

hugoversichert.de

ino-professional.ru

bogdanpeptine.ro

d2marketing.co.uk

boisehosting.net

girlillamarketing.com

romeguidedvisit.com

maineemploymentlawyerblog.com

sachnendoc.com

pomodori-pizzeria.de

vesinhnha.com.vn

restaurantesszimmer.de

toreria.es

homesdollar.com

caribdoctor.org

Attributes
  • net

    true

  • pid

    $2a$10$jic4PWjsOW3XAFg6jrtWU.4s2YBeZxLBwNhXoxP2z1e6MThWCdpHu

  • prc

    oracle

    mspub

    outlook

    sql

    tbirdconfig

    msaccess

    powerpnt

    sqbcoreservice

    mydesktopservice

    thebat

    visio

    dbeng50

    ocomm

    ocautoupds

    isqlplussvc

    encsvc

    mydesktopqos

    thunderbird

    xfssvccon

    dbsnmp

    winword

    synctime

    infopath

    wordpad

    excel

    onenote

    agntsvc

    ocssd

    steam

    firefox

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    5223

  • svc

    backup

    sophos

    memtas

    veeam

    vss

    svc$

    sql

    mepocs

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe
    "C:\Users\Admin\AppData\Local\Temp\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3840
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4052
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2620

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe

      MD5

      a9f731de650ee1ba0ef91e1386ac2dad

      SHA1

      60f6ad3ec25581bb53dac56634cff820e0d6fd81

      SHA256

      5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4

      SHA512

      248f4e1297ab1e00fda37dd546a7f173ef5d0a0d2fd656adba97f8f07dfa0e1e27d9a7cc4cb55f3b451f7e5ce1ff7cf569cd3da42c91d1ed1bc16a6e93c9c2d0

    • C:\Users\Admin\AppData\Local\Temp\3582-490\a10298c6c4d52c1ebd572a254d61e915049acc2910c9157287030a9cb6fbba30.exe

      MD5

      a9f731de650ee1ba0ef91e1386ac2dad

      SHA1

      60f6ad3ec25581bb53dac56634cff820e0d6fd81

      SHA256

      5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4

      SHA512

      248f4e1297ab1e00fda37dd546a7f173ef5d0a0d2fd656adba97f8f07dfa0e1e27d9a7cc4cb55f3b451f7e5ce1ff7cf569cd3da42c91d1ed1bc16a6e93c9c2d0