Overview

overview

10

Static

static

10

963e31fef7...6e.exe

windows7_x64

10

963e31fef7...6e.exe

windows10_x64

10

Analysis

  • max time kernel
    171s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe

  • Size

    198KB

  • MD5

    bf9359046c4f5c24de0a9de28bbabd14

  • SHA1

    d1f7c41154cbbc9cd84203fe6067d1b93001dde6

  • SHA256

    963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e

  • SHA512

    9050b23a429a92f0be4feb43ee901f64acab06a588d903f308697174fc1e73633cfcac27f71292e2d6ad6b40e34ab580c52949e1a533b885aa7a2f13f12b060b

Score
10/10
neshtasodinokibi1929persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

19

Campaign

29

C2

schluesseldienste-hannover.de

alpesiberie.com

bratek-immobilien.de

bcmets.info

log-barn.co.uk

diverfiestas.com.es

nexstagefinancial.com

mundo-pieces-auto.fr

marmarabasin.com

walterman.es

juergenblaetz.de

centuryvisionglobal.com

witraz.pl

aslog.fr

qandmmusiccenter.com

awag-blog.de

domilivefurniture.com

penumbuhrambutkeiskei.com

from02pro.com

teamsegeln.ch
Attributes
  • net

    true

  • pid

    19

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    29

Signatures

  • Detect Neshta Payload 10 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    "C:\Users\Admin\AppData\Local\Temp\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:660
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:1908
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1096

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
    MD5

    5e6a868a68e9773762f69a8ff5b31aec

    SHA1

    89e35086845e3f0318651eaf17cd582c83801b89

    SHA256

    9c37d3f5a2a2585b7944179a7aec31c53b313877be0928267b176a3193c246ac

    SHA512

    9dbf59e29e547b56ff1a3e4c40ffb5b437682cb15c9b4c3f1ef4ce63fd4eaa827dd71c44b5cf695943ad0392f0486ffec0cdcc1819417422a5644a1dcd936c5a

    Download Submit

  • C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE
    MD5

    33cb4562e84c8bbbc8184b961e2e49ee

    SHA1

    d6549a52911eaeebcceb5bc39d71272d3b8f5111

    SHA256

    1f455ea6bab09377e5fdfbd5df102f79c5cbbb5fe5ce456f2fbb34f94ec848bb

    SHA512

    0b638a6e86816ba5d83de5fc381c85371f2f4fe0a2fdff40141859a42e255a082903e5692a49ef253265a42ec99924e5a0aa150cb7ed6cd5521f42f6c9fe27a9

    Download Submit

  • C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
    MD5

    3bf259392097b2c212b621a52da03706

    SHA1

    c740b063803008e3d4bab51b8e2719c1f4027bf9

    SHA256

    79538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160

    SHA512

    186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934

    Download Submit

  • C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
    MD5

    32853955255a94fcd7587ca9cbfe2b60

    SHA1

    c33a88184c09e89598f0cabf68ce91c8d5791521

    SHA256

    64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

    SHA512

    8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    MD5

    853f7e7015101997d448ae8caa9785e2

    SHA1

    3e114a9122712bae63c90a0fe4007deb72c4d3dc

    SHA256

    d44a5dc18727a2e83e82b59baf1b33222d7aa494e98078b65b9d327e6111f0d8

    SHA512

    795253b08cf0e88d5aab289a451bb66291db39324e85eed8caeba2f3e70d67b5dc47df45a405df6930e0d663407d6b728d8cda64c61101fce7f8d4a0b7e4d759

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    MD5

    07e194ce831b1846111eb6c8b176c86e

    SHA1

    b9c83ec3b0949cb661878fb1a8b43a073e15baf1

    SHA256

    d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

    SHA512

    55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

    Download Submit

  • C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
    MD5

    fa982a173f9d3628c2b3ff62bd8a2f87

    SHA1

    2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

    SHA256

    bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

    SHA512

    95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3582-490\963e31fef7c8db9e002c56ee30fd3cd4b240db466bc23687979e2f161ba5606e.exe
    MD5

    a994cfba920bb87b9322aeda48282d11

    SHA1

    dcdade9e535ec79f839537e7ed38499d258020b3

    SHA256

    8b15999cff808e9477d25bf0f839ac7c93fa4e62710fb6ae29d33787f1a05f12

    SHA512

    b68c6edc21c49b1a3ee24856fdf276d3c239d9320cbf8071aa8df4c5d89bdd81d9fe487d8dc1cfb73a3c0954db7b1b3d731c0aa004ce309da4380e783444bc39

    Download Submit

  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit

  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit

  • C:\odt\OFFICE~1.EXE
    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

    Download Submit