Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 01:32
General
-
Target
963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
-
Size
198KB
-
MD5
bf9359046c4f5c24de0a9de28bbabd14
-
SHA1
d1f7c41154cbbc9cd84203fe6067d1b93001dde6
-
SHA256
963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e
-
SHA512
9050b23a429a92f0be4feb43ee901f64acab06a588d903f308697174fc1e73633cfcac27f71292e2d6ad6b40e34ab580c52949e1a533b885aa7a2f13f12b060b
Malware Config
Extracted
sodinokibi
19
29
schluesseldienste-hannover.de
alpesiberie.com
bratek-immobilien.de
bcmets.info
log-barn.co.uk
diverfiestas.com.es
nexstagefinancial.com
mundo-pieces-auto.fr
marmarabasin.com
walterman.es
juergenblaetz.de
centuryvisionglobal.com
witraz.pl
aslog.fr
qandmmusiccenter.com
awag-blog.de
domilivefurniture.com
penumbuhrambutkeiskei.com
from02pro.com
teamsegeln.ch
-
net
true
-
pid
19
-
prc
mysql.exe
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
29
Signatures
-
Detect Neshta Payload 10 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi/Revil sample 5 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe"C:\Users\Admin\AppData\Local\Temp\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe"1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
02ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
MD5
cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
MD5
58b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
MD5
566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
MD5
e584c29c854081c78a366fbcc6f7f84c
SHA132b7e552e5916b43d57d7b088c543b77f1067338
SHA256b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450
SHA512c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c
-
MD5
f6636e7fd493f59a5511f08894bba153
SHA13618061817fdf1155acc0c99b7639b30e3b6936c
SHA25661720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1
-
MD5
3e8de969e12cd5e6292489a12a9834b6
SHA1285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA2567a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e
-
MD5
a49eb5f2ad98fffade88c1d337854f89
SHA12cc197bcf3625751f7e714ac1caf8e554d0be3b1
SHA25699da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449
SHA5124649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593
-
MD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
MD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
MD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
MD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
MD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
MD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
MD5
a994cfba920bb87b9322aeda48282d11
SHA1dcdade9e535ec79f839537e7ed38499d258020b3
SHA2568b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12
SHA512b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39
-
Filesize
8KB