Overview

overview

10

Static

static

10

963e31fef7...6e.exe

windows7_x64

10

963e31fef7...6e.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe

  • Size

    198KB

  • MD5

    bf9359046c4f5c24de0a9de28bbabd14

  • SHA1

    d1f7c41154cbbc9cd84203fe6067d1b93001dde6

  • SHA256

    963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e

  • SHA512

    9050b23a429a92f0be4feb43ee901f64acab06a588d903f308697174fc1e73633cfcac27f71292e2d6ad6b40e34ab580c52949e1a533b885aa7a2f13f12b060b

Score
10/10
neshtasodinokibi1929persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

29

C2

schluesseldienste-hannover.de

alpesiberie.com

bratek-immobilien.de

bcmets.info

log-barn.co.uk

diverfiestas.com.es

nexstagefinancial.com

mundo-pieces-auto.fr

marmarabasin.com

walterman.es

juergenblaetz.de

centuryvisionglobal.com

witraz.pl

aslog.fr

qandmmusiccenter.com

awag-blog.de

domilivefurniture.com

penumbuhrambutkeiskei.com

from02pro.com

teamsegeln.ch
Attributes
  • net

    true

  • pid

    19

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    29

Signatures

  • Detect Neshta Payload 10 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    "C:\Users\Admin\AppData\Local\Temp\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:900
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1396
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:1436
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
    MD5

    02ee6a3424782531461fb2f10713d3c1

    SHA1

    b581a2c365d93ebb629e8363fd9f69afc673123f

    SHA256

    ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

    SHA512

    6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

    Download Submit
  • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
    MD5

    cf6c595d3e5e9667667af096762fd9c4

    SHA1

    9bb44da8d7f6457099cb56e4f7d1026963dce7ce

    SHA256

    593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

    SHA512

    ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

    Download Submit
  • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
    MD5

    58b58875a50a0d8b5e7be7d6ac685164

    SHA1

    1e0b89c1b2585c76e758e9141b846ed4477b0662

    SHA256

    2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

    SHA512

    d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

    Download Submit
  • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
    MD5

    566ed4f62fdc96f175afedd811fa0370

    SHA1

    d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

    SHA256

    e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

    SHA512

    cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

    Download Submit
  • C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE
    MD5

    e584c29c854081c78a366fbcc6f7f84c

    SHA1

    32b7e552e5916b43d57d7b088c543b77f1067338

    SHA256

    b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450

    SHA512

    c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    MD5

    f6636e7fd493f59a5511f08894bba153

    SHA1

    3618061817fdf1155acc0c99b7639b30e3b6936c

    SHA256

    61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

    SHA512

    bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    MD5

    3e8de969e12cd5e6292489a12a9834b6

    SHA1

    285b89585a09ead4affa32ecaaa842bc51d53ad5

    SHA256

    7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

    SHA512

    b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
    MD5

    a49eb5f2ad98fffade88c1d337854f89

    SHA1

    2cc197bcf3625751f7e714ac1caf8e554d0be3b1

    SHA256

    99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449

    SHA512

    4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit
  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit
  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit
  • \Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit
  • memory/1652-55-0x0000000074B21000-0x0000000074B23000-memory.dmp
    Filesize

    8KB

    Download