Overview

overview

10

Static

static

10

064b5a8a65...a2.exe

windows7_x64

10

064b5a8a65...a2.exe

windows10_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2.exe

  • Size

    199KB

  • MD5

    81da022977dec2624184697c779c0318

  • SHA1

    e6591a63f5466d721e3227e05ae7fb5e726b81f8

  • SHA256

    064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2

  • SHA512

    f63b0b04c6a5e01b92172a7ffe37b29ee537e620c67bfeba6cb270950288b80a557e5fcb9e5cd0dda78241cc75b61a66396d6b8d7d3cf163991b547990c893ab

Score
10/10
neshtasodinokibi1996persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\7c7nm6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7c7nm6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9BF329183CAC3F1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/A9BF329183CAC3F1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7n2JIY+x8Qi9TW8QrCSxrI207yfMXQq2YCMXMPciNCLd1uafpIy+V5K9mkiSSQwd rXZ7LhLhbZCQUEZGCw7xvemlCjYCxMmPLaqOlEd26Wn1dDdb3lkubFg3FE8XMvID ysV2WJI2Lrlyxgc2AY5/2CAFs/QMmf7W5pCOvXB86c3AvJ778zYPxj3KhgOdoOrz o/4iZwNEGVqDepjdOQ9rDkqCoKcJrSLGU7KUSrmNxb8ZZnGvUB1FGGd/K3fr6qGD Jw66+PcqqllG0gtVRd9XzVwFE+SMiP63mSvdF8n/gv3d1qeHQPqX/zgO56BQxrvF s5UrUwVagiilKe2EBnsc7us0SmwuYmdVygGTCHFtkPHIGfUaVwX9y44L/iy3FEVQ RAZF46G02Cjau9NrC6udw9DuA70ziH6Zmt2PqVWAcbg4euM6u2kYsmZ++Zv4XIbe MyuOXY33k/OQnTNJU1MpWgddKdBNHUCzrm6zN2M7MgcjpWa4fgEM967pHDzIw0QJ nndKT3YTxJ7CqFfRtfp7KC4bnu9CcczqjgOL02ZhQH+FNvmRBVzxOS7Qtwsnx8V1 jZOUSdCQCef1iLqW1JqgvQ/sx54+ELhZmuPlAReezSOu9reYhCBGHjQfL1YquLuU omFK0NM+Igx/J9cNg2EuuGvMv+7yr3/D47yRl3d7f1rV3toITWyQSfZrNauH0A+W 4EBLnY2HnPn54lMAScFBeV6M8mEfzNI5FOjiQp/sUYXs2/7fDhUzi9bs1lwdNoxb dkQiSlFerglXoukS/maZufUWqASiOnO6pvcK5vyuexjjlrpR3bHvFqeBH1tvMDVA lGtEH6EfYxaTi2XboK/7e3PkpmPGk6u6tKssHLhQIHKjqHgIOjrtL1xX5hLmSdRo 7pHoXXURV02kRswnHIr/Zzk2EaxwgMmTGOqWuRn41y4UC5gGZTJyZXSG1wfHFJ7N 6Z5wflPH6lEt3DYKve56aH5Vd2m7H/ZnQSfigCUaslxgdq6+V9JdikBFr3BHy2qM l4tQt+PNpBsepehMOoL3BIzpV+oD7e0S5KPfWNUCIitYLmkUVHRzqSXnZtMdRl0L CEgQq9nHrkqL5A== Extension name: 7c7nm6 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9BF329183CAC3F1

http://decryptor.top/A9BF329183CAC3F1

Extracted

Family

sodinokibi

Botnet

19

Campaign

96

C2

vitormmcosta.com

allinonecampaign.com

edvestors.org

haard-totaal.nl

stabilisateur.fr

anleggsregisteret.no

ufovidmag.com

oraweb.net

oththukaruva.com

acumenconsultingcompany.com

xn--billigafrgpatroner-stb.se

glennverschueren.be

subquercy.fr

leadforensics.com

devplus.be

silkeight.com

bluetenreich-brilon.de

askstaffing.com

hutchstyle.co.uk

netadultere.fr
Attributes
  • net

    true

  • pid

    19

  • prc

    firefoxconfig.exe

    mysqld_opt.exe

    thebat64.exe

    powerpnt.exe

    tbirdconfig.exe

    msftesql.exe

    mysqld.exe

    sqlwriter.exe

    infopath.exe

    winword.exe

    sqlbrowser.exe

    sqlagent.exe

    sqbcoreservice.exe

    mspub.exe

    onenote.exe

    thebat.exe

    visio.exe

    mysqld_nt.exe

    excel.exe

    thunderbird.exe

    encsvc.exe

    mydesktopservice.exe

    ocssd.exe

    steam.exe

    ocomm.exe

    isqlplussvc.exe

    dbsnmp.exe

    synctime.exe

    agntsvc.exe

    mydesktopqos.exe

    ocautoupds.exe

    wordpad.exe

    dbeng50.exe

    outlook.exe

    xfssvccon.exe

    oracle.exe

    sqlservr.exe

    msaccess.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    96

Signatures

  • Detect Neshta Payload 13 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 24 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 15 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2.exe
    "C:\Users\Admin\AppData\Local\Temp\064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Users\Admin\AppData\Local\Temp\3582-490\064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3996
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:4272
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

File Deletion

2
T1107

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
    MD5

    a344438de9e499ca3d9038688440f406

    SHA1

    c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

    SHA256

    715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

    SHA512

    8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

    Download Submit
  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
    MD5

    f89440ce4ff5c1295c1799339a530303

    SHA1

    b3cdd4410c3b3315713a24cd547664a220e7ec0d

    SHA256

    5fac23766b327e314ff6ccfefa8c5db37aafa58814277a0e16ab1b78dad3beb2

    SHA512

    8b8c3181b591e40d6e3802a65dd47ffd00e4d59950ec29433db5f484e71ef3a91fd22d5e372b08f4f3ab27a6cc7045e11e181fb112b27d8daa6d260a506d5beb

    Download Submit
  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
    MD5

    40c8e5f4f7fb2fa4c6ed47e7f254a3cc

    SHA1

    5da20099194e003816c3fd46408b5e5ab934b424

    SHA256

    2a28751ada21b17ca140ed3a03dccd29995b2ef702528eed1cc02bff0292f327

    SHA512

    5e91bd9347df79eca484f6c5768930a191ffd679d5979b8c896f620c6f207c02f737782f0c6453e0973748c78bc9bc2cc537b27378f73a80dd254c2df9667ae3

    Download Submit
  • C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
    MD5

    4e8c731e3175d6d2f5085fe55974e1db

    SHA1

    74604823bd1e5af86d66e4986c1203f2bf26e657

    SHA256

    8a8d0905d868bc8b3bbd3545de42b459b3b517bb874365f911ff05ae71f90325

    SHA512

    a058948f7a82ca4c14ea41527c66918e7737776f7af65b00888f3c39de416397821861ba4e77cdb8a738bc0136462d1256bc6447f0d105d929831a2b47c87485

    Download Submit
  • C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE
    MD5

    0d9146d70ac6a41ead1ea2d50d729508

    SHA1

    b9e6ff83a26aaf105640f5d5cdab213c989dc370

    SHA256

    0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

    SHA512

    c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

    Download Submit
  • C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE
    MD5

    fa982a173f9d3628c2b3ff62bd8a2f87

    SHA1

    2cfb18d542ae6b6cf5a1223f1a77defd9b91fa56

    SHA256

    bc5d80d05a1bd474cb5160782765bf973ba34ea25dedf7e96dfaf932b9935032

    SHA512

    95ca9066a2e5272494b8e234220b6028c14892679023ca70801475c38d341032363589375ec6ffc4cde3416dd88d0e3082d315f7beddccdf014122ddd0a90644

    Download Submit
  • C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
    MD5

    3bf259392097b2c212b621a52da03706

    SHA1

    c740b063803008e3d4bab51b8e2719c1f4027bf9

    SHA256

    79538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160

    SHA512

    186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934

    Download Submit
  • C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
    MD5

    32853955255a94fcd7587ca9cbfe2b60

    SHA1

    c33a88184c09e89598f0cabf68ce91c8d5791521

    SHA256

    64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

    SHA512

    8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    MD5

    0d9146d70ac6a41ead1ea2d50d729508

    SHA1

    b9e6ff83a26aaf105640f5d5cdab213c989dc370

    SHA256

    0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

    SHA512

    c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    MD5

    07e194ce831b1846111eb6c8b176c86e

    SHA1

    b9c83ec3b0949cb661878fb1a8b43a073e15baf1

    SHA256

    d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

    SHA512

    55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2.exe
    MD5

    37c62627383200afa90abf92bf5c4f72

    SHA1

    ba0cce7a0b27b4d6c29abeb6d02f5bc54c6c8cd9

    SHA256

    e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0

    SHA512

    9eb9aade0df35394f2b326d630dd24899edd388c7f19f7da81b99b347ab402994f0ed4540c9a8bf58f2e1abada2632e98b714e615e25d71ee5892d2cbff16fca

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\064b5a8a6527e9b7b857c78417c9701ccab7f6fd0cfcc367aa73a98a91e1f6a2.exe
    MD5

    37c62627383200afa90abf92bf5c4f72

    SHA1

    ba0cce7a0b27b4d6c29abeb6d02f5bc54c6c8cd9

    SHA256

    e7ddb20095cd733efc10fba3ff1a8b3e83767cc900b5a976d4029456226612b0

    SHA512

    9eb9aade0df35394f2b326d630dd24899edd388c7f19f7da81b99b347ab402994f0ed4540c9a8bf58f2e1abada2632e98b714e615e25d71ee5892d2cbff16fca

    Download Submit
  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit
  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit
  • C:\odt\OFFICE~1.EXE
    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

    Download Submit