Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:30

General

  • Target

    98fc76f4920bef67830be2d7d9c45fcff4ca47c9003573708c5b1edfe5a1b705.exe

  • Size

    205KB

  • MD5

    20ec49de6d2f5b22796b63d960890fbb

  • SHA1

    890b34f3ace317b3b37a9f560aa10578009b650c

  • SHA256

    98fc76f4920bef67830be2d7d9c45fcff4ca47c9003573708c5b1edfe5a1b705

  • SHA512

    449218d59e00e34be6e48b44b7dae836331aae905cffd484e501b2ee898866762c6026d649d2c4ed11d8a18bd78af60e7aca80c12b91253a437081afad399942

Malware Config

Extracted

Path

C:\28t91-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 28t91. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7630AAF5E932AF82 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/7630AAF5E932AF82 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: R2y1ef8dqfLuA+7DoOVOdw2jplKMCMaiOrBtFZq5aCXD9jZukKm6xT5z13EHLvPy r3J5hW8ye2Wbyk1fg5BbzH6J29l3HEtVinR6b/9+UWZXxhoCJDvI0jdxgKLw9tSj jqCJUDU/XKLlf9KSL/lHm8GSLvA0fmNyFdh9iGkIMDCQnAEZkySg/whlQSI8wh/e ddbIgQ7GahoIUKZavaPz/PyLBEPcFw/+qrnFAGYxM2/R23r6JXZOv81+7J0NF1eD ceoaFevB5VgliSJUMiL7Tf+VVuLxmS0w6srz29fc/4LHo5NpyhHWDT1mxtHaLxzj Hnf7suKP8mci3Kef5AmQ6QPutpxW8jNNqBiZfmWZztCgnaZPlvqBBQ5qp0feObss 9h3l8YwiXgIqUaz7cCBcPt/qgYeJkQP+VySR0GgUsBEpQyOGehHE39+8YfH1RJyj gjn/qB8UGS4s0apzmHeahBSx+zbAW/D3D0Xr7NKUKWWiWuzzBcuNFnawWZ4fyfND EaK2PE3EeInFKDbJcKvM4+PP8D/5rKdixreh97mrTM/39oPCltVm/q1+vdUfmtC5 xZ7sc9vE/jMJ/HEHtJlUOJZ127xQHijcy9/7dncY8MXm2HErascXVmffE1v56OUH +vXJY68EgB2inHaZLTcKW/JAk5ROC4VUNRiMLBmnlkvIOjzp9DvVVg7peeszQSnH FOrkUfih+HgNP+ObI+CIeBSPRGggk4Mjskt32x6cuCPaZhy5C1JdwkLQ9UXuKS3r mZNCaZiJ7HC+xCMI5sP0fiLeFRnFiM/y++RsD+OoDl/6+dS3JoWsnz5VsrWxfF2S 8CuvW0IsozXtzpPX2S414t1nnYMCXCCY6SFyVLWG0XxwYCFEW+zWtbA700zeSEGp dJxN5ICgOaZqEUypaF24yyYfzi6r0QnonbA5opX9tif+eupe88aRrboYshGvrABL fZ5P2Bd35gy+fdHERd5Dq3b+YflFaOqZYt+B8lGp6R6/HnqUs4I3dJiQM8YnAJ/b Y8ha4RYJAlK/RTWGExqaAYeGibYnSFsA00rZLbgY8bVea/tFrfEU+N6elzUjEear Fb3DUA8fo8EKI8rV1kI3wC0nO+RmTwV2QUTjIwvFOpn3NjKlpBx0GWMv Extension name: 28t91 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7630AAF5E932AF82

http://decryptor.top/7630AAF5E932AF82

Extracted

Family

sodinokibi

Botnet

19

Campaign

1428

C2

bcabattoirs.org

2020hindsight.info

campinglaforetdetesse.com

alwaysdc.com

amorbellezaysalud.com

business-basic.de

pourlabretagne.bzh

chomiksy.net

ideamode.com

auberives-sur-vareze.fr

fire-space.com

molinum.pt

90nguyentuan.com

ncn.nl

die-immo-agentur.de

michaelfiegel.com

scietech.academy

handyman-silkeborg.dk

adabible.org

harleystreetspineclinic.com

Attributes
  • net

    true

  • pid

    19

  • prc

    mysqld

    mysqld_nt

    mysqld_opt

    steam

    msftesql

    thebat64

    onenote

    sqlagent

    oracle

    mydesktopqos

    ocssd

    thunderbird

    msaccess

    wordpad

    isqlplussvc

    synctime

    sqlwriter

    tbirdconfig

    sqbcoreservice

    ocautoupds

    winword

    ocomm

    mspub

    firefoxconfig

    powerpnt

    sqlservr

    xfssvccon

    visio

    infopath

    excel

    sqlbrowser

    thebat

    agntsvc

    dbsnmp

    encsvc

    dbeng50

    mydesktopservice

    outlook

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    memtas

    mepocs

    sophos

    backup

    svc$

    sql

    vss

    veeam

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi/Revil sample 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98fc76f4920bef67830be2d7d9c45fcff4ca47c9003573708c5b1edfe5a1b705.exe
    "C:\Users\Admin\AppData\Local\Temp\98fc76f4920bef67830be2d7d9c45fcff4ca47c9003573708c5b1edfe5a1b705.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Users\Admin\AppData\Local\Temp\3582-490\98fc76f4920bef67830be2d7d9c45fcff4ca47c9003573708c5b1edfe5a1b705.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\98fc76f4920bef67830be2d7d9c45fcff4ca47c9003573708c5b1edfe5a1b705.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:588
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4004
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1776

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Change Default File Association

    1
    T1042

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\98fc76f4920bef67830be2d7d9c45fcff4ca47c9003573708c5b1edfe5a1b705.exe
      MD5

      8cf4a7cdc02344752f96018d8cdcdf13

      SHA1

      a1bd78567bc768cecd8ac99b0af350b127664e21

      SHA256

      8c7d3cd88fd1caeaeb00f0899decec457fc38dcfa436cf73dd348d3dab1486ae

      SHA512

      a3f5268692c84aba1bb86f264f543e9dc2d690e16599fbb3cac291ee38c7ad2066e8e55fcc8c2e6edc2d02eceb9f6795d2191cf42822157d291763d26f719ffb

    • C:\Users\Admin\AppData\Local\Temp\3582-490\98fc76f4920bef67830be2d7d9c45fcff4ca47c9003573708c5b1edfe5a1b705.exe
      MD5

      8cf4a7cdc02344752f96018d8cdcdf13

      SHA1

      a1bd78567bc768cecd8ac99b0af350b127664e21

      SHA256

      8c7d3cd88fd1caeaeb00f0899decec457fc38dcfa436cf73dd348d3dab1486ae

      SHA512

      a3f5268692c84aba1bb86f264f543e9dc2d690e16599fbb3cac291ee38c7ad2066e8e55fcc8c2e6edc2d02eceb9f6795d2191cf42822157d291763d26f719ffb

    • memory/588-123-0x000001D11D4F0000-0x000001D11D512000-memory.dmp
      Filesize

      136KB

    • memory/588-126-0x000001D11E080000-0x000001D11E0F6000-memory.dmp
      Filesize

      472KB

    • memory/588-133-0x000001D105480000-0x000001D11D570000-memory.dmp
      Filesize

      384.9MB

    • memory/588-134-0x000001D105480000-0x000001D11D570000-memory.dmp
      Filesize

      384.9MB