Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:31
General
-
Target
97ce758904aa53c3c4b3e0e4f9fec84958c4bae0cade393d0159a78cfc79cd8d.exe
-
Size
204KB
-
MD5
bee0969692fe9aa8996a3436feb7b764
-
SHA1
370e8a179085da36ef9ed780ece2b75abf1a6de6
-
SHA256
97ce758904aa53c3c4b3e0e4f9fec84958c4bae0cade393d0159a78cfc79cd8d
-
SHA512
355677ffe9bf4aa69adc9dc1310e04de3493b90be26830f25cc6080c06890d055d56a0d9040c941c55db895d474f99422630c27012af06b8625971a72f6a5c6c
Malware Config
Extracted
C:\p85949-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/45230101C056B520
http://decryptor.top/45230101C056B520
Extracted
sodinokibi
19
96
noda.com.ua
jalkapuu.net
azerbaycanas.com
animation-pro.co.uk
jimprattmediations.com
factoriareloj.com
rozmata.com
yourcosmicbeing.com
profiz.com
aslog.fr
rhino-turf.com
skinkeeper.li
brisbaneosteopathic.com.au
testitjavertailut.net
mayprogulka.ru
patriotcleaning.net
hawaiisteelbuilding.com
loparnille.se
nutriwell.com.sg
yournextshoes.com
-
net
true
-
pid
19
-
prc
steam
encsvc
isqlplussvc
wordpad
oracle
ocssd
onenote
thebat
powerpnt
thebat64
mysqld
synctime
msaccess
xfssvccon
firefoxconfig
sqlagent
tbirdconfig
excel
visio
thunderbird
mydesktopqos
sqlbrowser
agntsvc
mysqld_nt
ocomm
dbsnmp
mysqld_opt
mydesktopservice
dbeng50
mspub
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
96
-
svc
backup
veeam
svc$
sql
sophos
memtas
mepocs
vss
Signatures
-
Detect Neshta Payload 17 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi/Revil sample 5 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 28 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\97ce758904aa53c3c4b3e0e4f9fec84958c4bae0cade393d0159a78cfc79cd8d.exe"C:\Users\Admin\AppData\Local\Temp\97ce758904aa53c3c4b3e0e4f9fec84958c4bae0cade393d0159a78cfc79cd8d.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\97ce758904aa53c3c4b3e0e4f9fec84958c4bae0cade393d0159a78cfc79cd8d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\97ce758904aa53c3c4b3e0e4f9fec84958c4bae0cade393d0159a78cfc79cd8d.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
-
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
02ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
MD5
cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
MD5
58b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
MD5
566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
MD5
831270ac3db358cdbef5535b0b3a44e6
SHA1c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450
-
MD5
8c4f4eb73490ca2445d8577cf4bb3c81
SHA10f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA25685f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA51265453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769
-
MD5
eef2f834c8d65585af63916d23b07c36
SHA18cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA2563cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA5122ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7
-
MD5
3ec4922dbca2d07815cf28144193ded9
SHA175cda36469743fbc292da2684e76a26473f04a6d
SHA2560587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7
-
MD5
ad0efa1df844814c2e8ddc188cb0e3b5
SHA1b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab
SHA256c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a
SHA512532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520
-
MD5
a2dddf04b395f8a08f12001318cc72a4
SHA11bd72e6e9230d94f07297c6fcde3d7f752563198
SHA256b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373
SHA5122159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3
-
MD5
154b891ad580307b09612e413a0e65ac
SHA1fc900c7853261253b6e9f86335ea8d8ad10c1c60
SHA2568a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483
SHA51239bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6
-
MD5
f6636e7fd493f59a5511f08894bba153
SHA13618061817fdf1155acc0c99b7639b30e3b6936c
SHA25661720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1
-
MD5
07e194ce831b1846111eb6c8b176c86e
SHA1b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA51255f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5
-
MD5
a49eb5f2ad98fffade88c1d337854f89
SHA12cc197bcf3625751f7e714ac1caf8e554d0be3b1
SHA25699da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449
SHA5124649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593
-
MD5
5498c2ea6c3d26c94247715deb4c09a0
SHA1c8328ca80fb0009fbdf92fd52a110e604db267b9
SHA256a096e7ed6b4ac331fb64a81cce1ae13e9c8c64a442b28c1556f7015f3b0ed4f4
SHA51273e65253cb754e7469797e355163444035ef2f85ae3953223e83b14f5070de6da17029aa2728c0ee1bd007df7722b338a39ee3d71b73888f4ed52a111c208159
-
MD5
5498c2ea6c3d26c94247715deb4c09a0
SHA1c8328ca80fb0009fbdf92fd52a110e604db267b9
SHA256a096e7ed6b4ac331fb64a81cce1ae13e9c8c64a442b28c1556f7015f3b0ed4f4
SHA51273e65253cb754e7469797e355163444035ef2f85ae3953223e83b14f5070de6da17029aa2728c0ee1bd007df7722b338a39ee3d71b73888f4ed52a111c208159
-
MD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
MD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
MD5
831270ac3db358cdbef5535b0b3a44e6
SHA1c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450
-
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
MD5
5498c2ea6c3d26c94247715deb4c09a0
SHA1c8328ca80fb0009fbdf92fd52a110e604db267b9
SHA256a096e7ed6b4ac331fb64a81cce1ae13e9c8c64a442b28c1556f7015f3b0ed4f4
SHA51273e65253cb754e7469797e355163444035ef2f85ae3953223e83b14f5070de6da17029aa2728c0ee1bd007df7722b338a39ee3d71b73888f4ed52a111c208159
-
MD5
5498c2ea6c3d26c94247715deb4c09a0
SHA1c8328ca80fb0009fbdf92fd52a110e604db267b9
SHA256a096e7ed6b4ac331fb64a81cce1ae13e9c8c64a442b28c1556f7015f3b0ed4f4
SHA51273e65253cb754e7469797e355163444035ef2f85ae3953223e83b14f5070de6da17029aa2728c0ee1bd007df7722b338a39ee3d71b73888f4ed52a111c208159
-
MD5
5498c2ea6c3d26c94247715deb4c09a0
SHA1c8328ca80fb0009fbdf92fd52a110e604db267b9
SHA256a096e7ed6b4ac331fb64a81cce1ae13e9c8c64a442b28c1556f7015f3b0ed4f4
SHA51273e65253cb754e7469797e355163444035ef2f85ae3953223e83b14f5070de6da17029aa2728c0ee1bd007df7722b338a39ee3d71b73888f4ed52a111c208159
-
Filesize
8KB