Overview

overview

10

Static

static

10

00b5940a6a...cf.exe

windows7_x64

10

00b5940a6a...cf.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe

  • Size

    204KB

  • MD5

    7d7ee58c2696794b3be958b165eb61a9

  • SHA1

    d24d3921aad182754f4ee5fa0ef13b2699d20108

  • SHA256

    00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf

  • SHA512

    b04eec574166812a1c85b5abf0acb20c99eedab3d07ebbaf4dba2a4d5847c98f029f9f1671349899adb661bf17cc45f74b7dbde784c333127972ebb1ab488c27

Score
10/10
neshtasodinokibi19100persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\p72pe-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion p72pe. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3258074B51DD5655 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/3258074B51DD5655 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 1ijmPJuPWKnYYeVeC6t5TIm+pjr51YR6Rcam0F1+fhu0QhLMjXJrdVrwXPFUwAXL d55yPh1W4wVlCmtOM7De3C6XUGSyIn8I21CtQgWSIE9mhYgScjk9GWXk1p5QZmGh LlLvFmyZslIZZ2l2/X6tWc5MiXP1E7BTKIJLbujYQX6N2R8BZNeuZ8sIw/MiB7gu mKnnjrVzx8ZoV3Px4E13v/jY8IBlVG4IOkaNztPRRRcHkCdQhkUbJH9W2jaOY9mA ZYwXWZ6ZwA4qex2eOOOOg+BnHcFPZZQS7TvEbhCYrtgzgKmnbsNt1MHJNjQ+R5Q7 ni+KRDxPmCpDW8xie5vsPgj9PnknEwzu0DmSZvZDeq/CpErgW5SokXhl8s4gbPUX FTCLOYEMumijXq4rAtjnMP6pIYVdQhKaTrBzv79tlAjRTqbOt6OJXLmFCdPNXODh A2AY+noj5R7b02XyPjAPOuv2z1MJ9rzH6xHJ3Hy+NliQhWOTv8WwE0/5vJGp5ugS YTGcRAbidqYocwGXzn8uInLZUduR8vwMc1/wwHyWO/CCeekWl2V2G0K74Up1sYuG XOAxO6mOxQodlfobJ/CND43g5bhJCfCyHcmrvYrTzF4rnrQX00pv++MBLUbJoern 5nIteupRdgtNgq9Wp3THJDpV32Fpj2IqUfQ29xBkAUgBv1KRR+2qm7Cv/+8V6Uut cewgAJ3izWDiryAqNzS9xqIG0ywUGm3o8G7sPn3+YqJE7fqpW3f7ueCSlhcuFsVR 3226+axFCN8sJGxFeSntrqEnkMLVbIyvIUBVsAhM28vpHS8411+VoKr7FQNxQhNI EslZI1KPezbwj1AWqHd5QdftpQq2uPCYTtGdc1X9UdFQNTmTWpSJTic6dIs1ZwW+ qxpyITgJ6NnKjgAKXs/CwfGqLQ24WVuRnbnf9M5eAAkR/DSEinHlM1KyzD57rTK9 PalRDiV+1TDOL9tf2O3k14OSUXlrFYbNy4cMOYIFnS5rXtr9sUhZnW7FzZmHGsTx wWDpm/zPPH9G1woSOwldZ7/iUMHOBJtCOb4FKlnKAUz4+eaZIyKvsIAYeNExtMHq eddcyrH2iF6XDo1DM3T0vYii+Mb1S+mNwuR1BqhLLBCdaeV0VZi/GT4FyIuPaZR0 Extension name: p72pe ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3258074B51DD5655

http://decryptor.top/3258074B51DD5655

Extracted

Family

sodinokibi

Botnet

19

Campaign

100

C2

suonenjoen.fi

forskolinslimeffect.net

dentalcircle.com

bourchier.org

epicjapanart.com

apogeeconseils.fr

goodherbalhealth.com

vapiano.fr

reizenmetkinderen.be

smartspeak.com

thesilkroadny.com

latableacrepes-meaux.fr

triplettagaite.fr

inewsstar.com

internestdigital.com

salonlamar.nl

altitudeboise.com

fixx-repair.com

cxcompany.com

aheadloftladders.co.uk
Attributes
  • net

    true

  • pid

    19

  • prc

    synctime

    mydesktopqos

    sqlwriter

    mydesktopservice

    ocomm

    oracle

    thebat

    ocautoupds

    firefoxconfig

    mysqld

    msaccess

    winword

    isqlplussvc

    powerpnt

    outlook

    agntsvc

    mysqld_nt

    sqbcoreservice

    encsvc

    sqlservr

    thebat64

    infopath

    onenote

    thunderbird

    wordpad

    msftesql

    ocssd

    sqlagent

    steam

    mysqld_opt

    mspub

    dbeng50

    xfssvccon

    sqlbrowser

    dbsnmp

    visio

    tbirdconfig

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    100

  • svc

    sql

    svc$

    sophos

    veeam

    mepocs

    backup

    vss

    memtas

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
    "C:\Users\Admin\AppData\Local\Temp\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1544
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1512

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
      MD5

      2720a8361dd606d683daba26686d1cc3

      SHA1

      3af79888890ce87ee1a217cd017312b2d53dc2e9

      SHA256

      0b0b2fdff74516db18bb37a91372792e0887c8730f4f7f44b3d880f79699a0a1

      SHA512

      5986e3eb98cb64d507e17824069a55980d58703b36901cb623c4732a458163bdc1d66dfbeb8dcc160f3f10c38f620b9e231e087c0a60647bfe1659ffbbb03265

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
      MD5

      2720a8361dd606d683daba26686d1cc3

      SHA1

      3af79888890ce87ee1a217cd017312b2d53dc2e9

      SHA256

      0b0b2fdff74516db18bb37a91372792e0887c8730f4f7f44b3d880f79699a0a1

      SHA512

      5986e3eb98cb64d507e17824069a55980d58703b36901cb623c4732a458163bdc1d66dfbeb8dcc160f3f10c38f620b9e231e087c0a60647bfe1659ffbbb03265

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
      MD5

      2720a8361dd606d683daba26686d1cc3

      SHA1

      3af79888890ce87ee1a217cd017312b2d53dc2e9

      SHA256

      0b0b2fdff74516db18bb37a91372792e0887c8730f4f7f44b3d880f79699a0a1

      SHA512

      5986e3eb98cb64d507e17824069a55980d58703b36901cb623c4732a458163bdc1d66dfbeb8dcc160f3f10c38f620b9e231e087c0a60647bfe1659ffbbb03265

      Download Submit
    • memory/1148-60-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1148-62-0x0000000002860000-0x0000000002862000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1148-63-0x0000000002862000-0x0000000002864000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1148-64-0x0000000002864000-0x0000000002867000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1148-61-0x000007FEF30A0000-0x000007FEF3BFD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1148-65-0x000000001B750000-0x000000001BA4F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1148-66-0x000000000286B000-0x000000000288A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1668-55-0x0000000075321000-0x0000000075323000-memory.dmp
      Filesize

      8KB

      Download