Overview

overview

10

Static

static

10

00b5940a6a...cf.exe

windows7_x64

10

00b5940a6a...cf.exe

windows10_x64

10

Analysis

  • max time kernel
    170s
  • max time network
    166s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe

  • Size

    204KB

  • MD5

    7d7ee58c2696794b3be958b165eb61a9

  • SHA1

    d24d3921aad182754f4ee5fa0ef13b2699d20108

  • SHA256

    00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf

  • SHA512

    b04eec574166812a1c85b5abf0acb20c99eedab3d07ebbaf4dba2a4d5847c98f029f9f1671349899adb661bf17cc45f74b7dbde784c333127972ebb1ab488c27

Score
10/10
neshtasodinokibi19100persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\a3s619ci94-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion a3s619ci94. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/11048068BFDE144E 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/11048068BFDE144E Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Hgwv8/KXudaMvkdORgUTsQfb3EKhSZjeR0nN1Z/WOfiQor3iA2YY/qZPtPtb1AP3 5SEntOlhX3MxliKt44SO4TnpWm44bqzVI5z+jtaAwxw/G8f+TfKiBhZH4DaCV+nf f6kjDIXFsVlJm/nZHU1iXefIXXrNxX7g07+C0LnUch0U5BwKW/2c1ScdN+2kdzwx ofG92NnjS+SiJMcvRtdQS5yu60IN5xco6mf+vBVTSSDsf2t+KFTTgqy3j7/95hFH lBY3zdQ5IONYMBCBDqFNotFtubqX+pp1q5X3h2fyHudPMB2Ehny7+Mw19h3aL8yt 5H1fcLmoROeIUJcU190mdiWKfkqG7BnlS6MyP3Su+C8IspAJkRHZlmfnmHTofMtY ldv2kdJkyTGk9OReXtqfpGcQLG/Ul+704OuR3mrLfDKKeYdAZyEJAhnYfj2BRteG EdxEF/9giNNv1AV6CA6tkBdSERGGpxPArbCN9RcaI8MSV1UsttnKuUxYiV7UJ6KM LDxz310IawVWEy/lalf+GkcTbiKKgC+Z6w+E3ws9nsiPEg08x/E6uMhOmssqWe3R lzgXkbxBMtDMdk8ZgC+qP0szQj0EZZapNZJr6isr05WEpYgYl/jwPDRu04O6wBo0 CbrXwCP5/bo+hZC8JrUQIR0uOTBhZGa8W2Oo2VaVfzGAlDPOxHAO/XQH9fsvu4NO MlGjcBX4ew9h+bV7padxHYDWI6oKBld703jE96rkAYBG3KqUHJwokPL0jEzkR9RH U59TxpKi9Hfu8ZNONezIKRAWqI4Vr65lN1LYdxtY+dK9X9QD6jjJIbi35DHf3cYw 8O20yB5Ex1jDsxHWdH6MEKa14iDrtI0Qt4h3yMTes4HUoCLukRU8ynUayVBaByyA yPobbUOR+5gUiN4M341QOqZ0+55u36KwLAdkGbaLG9qvFsasrwraW+2eFIei5AiZ Ng8tNfowUxNtPY72NjWBK1eOmsLMVeSWNQxBFn0v+/4kzjuzbNoCIiW5WHcW69X6 D9cxLsiExNwJ8Rumkr2qJFJE7TkTciotv35qvrBFNXzF0nG5g3LWQwnUNJQV+OzZ xWPpywPQl5E452l7btpIXJWOlXr+iAzbTRicTxNZlE1oM4YbXihlf2SbwIuNYrnu 0D0= Extension name: a3s619ci94 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/11048068BFDE144E

http://decryptor.top/11048068BFDE144E

Extracted

Family

sodinokibi

Botnet

19

Campaign

100

C2

suonenjoen.fi

forskolinslimeffect.net

dentalcircle.com

bourchier.org

epicjapanart.com

apogeeconseils.fr

goodherbalhealth.com

vapiano.fr

reizenmetkinderen.be

smartspeak.com

thesilkroadny.com

latableacrepes-meaux.fr

triplettagaite.fr

inewsstar.com

internestdigital.com

salonlamar.nl

altitudeboise.com

fixx-repair.com

cxcompany.com

aheadloftladders.co.uk
Attributes
  • net

    true

  • pid

    19

  • prc

    synctime

    mydesktopqos

    sqlwriter

    mydesktopservice

    ocomm

    oracle

    thebat

    ocautoupds

    firefoxconfig

    mysqld

    msaccess

    winword

    isqlplussvc

    powerpnt

    outlook

    agntsvc

    mysqld_nt

    sqbcoreservice

    encsvc

    sqlservr

    thebat64

    infopath

    onenote

    thunderbird

    wordpad

    msftesql

    ocssd

    sqlagent

    steam

    mysqld_opt

    mspub

    dbeng50

    xfssvccon

    sqlbrowser

    dbsnmp

    visio

    tbirdconfig

    excel

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    100

  • svc

    sql

    svc$

    sophos

    veeam

    mepocs

    backup

    vss

    memtas

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
    "C:\Users\Admin\AppData\Local\Temp\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4228
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1232

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
      MD5

      2720a8361dd606d683daba26686d1cc3

      SHA1

      3af79888890ce87ee1a217cd017312b2d53dc2e9

      SHA256

      0b0b2fdff74516db18bb37a91372792e0887c8730f4f7f44b3d880f79699a0a1

      SHA512

      5986e3eb98cb64d507e17824069a55980d58703b36901cb623c4732a458163bdc1d66dfbeb8dcc160f3f10c38f620b9e231e087c0a60647bfe1659ffbbb03265

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\00b5940a6a449f17a7134c9e81b6615c5e1e2fa1eef4cf8b3952d8c6817980cf.exe
      MD5

      2720a8361dd606d683daba26686d1cc3

      SHA1

      3af79888890ce87ee1a217cd017312b2d53dc2e9

      SHA256

      0b0b2fdff74516db18bb37a91372792e0887c8730f4f7f44b3d880f79699a0a1

      SHA512

      5986e3eb98cb64d507e17824069a55980d58703b36901cb623c4732a458163bdc1d66dfbeb8dcc160f3f10c38f620b9e231e087c0a60647bfe1659ffbbb03265

      Download Submit
    • memory/2236-126-0x0000023CC3A90000-0x0000023CC3AB2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2236-131-0x0000023CC5C30000-0x0000023CC5CA6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2236-138-0x0000023CAB940000-0x0000023CC3AE0000-memory.dmp
      Filesize

      385.6MB

      Download
    • memory/2236-144-0x0000023CAB940000-0x0000023CC3AE0000-memory.dmp
      Filesize

      385.6MB

      Download