Overview

overview

10

Static

static

10

66de053a99...69.exe

windows7_x64

10

66de053a99...69.exe

windows10_x64

10

Analysis

  • max time kernel
    165s
  • max time network
    178s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66de053a99d21cdfb67bb5f87ec1ec7405c03ee71f14750a2185f35c90842169.exe

  • Size

    205KB

  • MD5

    5c3f6b0a1ee7f030d2c8e944c07c8501

  • SHA1

    d2bd125693b7b3bba36e6423335503c88030ee0e

  • SHA256

    66de053a99d21cdfb67bb5f87ec1ec7405c03ee71f14750a2185f35c90842169

  • SHA512

    43b4aaaabf1fd3165c49157cf1baf9d7a37331900d559d73475974a04fdc3a39a011aac3ed4b0693c1edaa8e2458b90b5ac2107099fb18126ebf5fc105b40bed

Score
10/10
neshtasodinokibi1936persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\a0ota-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion a0ota. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/95BD11F2B24EF546 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/95BD11F2B24EF546 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: iIffxFq/rTXhEEnp16tf++a9uZnHYjOthxF3kix1wkGy/8JV/3azHxb0lpd+kEse 0e1B7a7nIZOPsNaDSelNOu09Ci8CUms84f1IHTsVG2CQ3AxdAEE4WQuGbeXVzd9k uu+AsFC20CXLaiDcCJwa/rhRmmZZeiY/AOF63G5J2JjzrPsyvcbRce6rWgDJlhQ3 1EP7AxNQtoAHFfUZLeOy9l2ESIakZP4fOHaozqGcM6q8eFlbErDR2fvf7rfrABpR ahHLGwTVJ/WV6S+tCR8ryZ2S2nabCxDCFu0rfq7ot41bVp8fgfGqcdl12xXPmFed 4mgiBRediKSDBXfkwHzDIpn+fulxkn/38hoDTbfL5mfEgbUB1a+ROtKkL4w6t2Mq yK/o8RDH+niWYJfLxf34r4dlnCC9T6ecw4A8KSPHWF12/bqtvSiWMdthfgR65Wxp CMFXYsUm8MU36BzqmYven5BKreTbktYkRy7CQ8vNfXYG3jXH+6BPYVjAByHCNfi1 S/vvT2LnlmknjKM57Dd1fMfbCjRWdouhLMnnHcqRI+77cA24GA6g7OZUXmAUlj/p w8o2hHDa5qYXlokjvivfaSivN6IGsG8teyfSuL000UUsbB+CMOoTsYrjcFaQG4jc LCIP/hx/wrAxEAwdXLx0Fg8RncglTbLQXO2QHvDmoQnF+yfiJ6rYmKHxOVdDZtcS gso4n+cm8U9lBSIgc3V2IMZBJs1x0f3ohFCIrAIi3VAlhcnm/knjhJ0ejoVJa/iC JxZftAPxbscKcE4n+c6zgr7CSFLE+BNO/uDRW2dvaaYhZLWdEV8I8UJ/Rbv/DkVq FyGE+41JGLWpsiB/jsSx4hRgITghvdJ66E86Z+gSx5Ema9XuyfpMHKQZQ53MW0fH Bp0Y2VeKSQkbwji298qe06nFlvLaxwOFrfHnsyyU4LNZzP2Mp+5Yu9NKbG4pqf/1 p80H7CRALckKZ5NBQ8oG13L731iPNEHZx0pjVmUONMWsg3rpW2hMjjVCYrbC5RGk 0KjrtLCPyazpKWg6Vp5WX+axz42WRfv3X60MtVmU+LC1o6H3ahMuh/3HcAQAopml JInEKFLPGrAb73QwAWykIPUrH5DbjluIRPy41i+f2qyZIUKVEBo= Extension name: a0ota ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/95BD11F2B24EF546

http://decryptor.top/95BD11F2B24EF546

Extracted

Family

sodinokibi

Botnet

19

Campaign

36

C2

cap29010.it

marcandy.com

johnstonmingmanning.com

racefietsenblog.nl

kvetymichalovce.sk

outstandingminialbums.com

ebible.co

napisat-pismo-gubernatoru.ru:443

mrkluttz.com

albcleaner.fr

smartworkplaza.com

m2graph.fr

rechtenplicht.be

tchernia-conseil.fr

breathebettertolivebetter.com

inewsstar.com

nginx.com

blueridgeheritage.com

banukumbak.com

fta-media.com
Attributes
  • net

    true

  • pid

    19

  • prc

    synctime

    oracle

    mysqld_nt

    sqlbrowser

    encsvc

    infopath

    winword

    thebat64

    onenote

    wordpad

    firefoxconfig

    outlook

    mysqld

    visio

    steam

    ocssd

    xfssvccon

    sqlagent

    sqbcoreservice

    tbirdconfig

    isqlplussvc

    sqlservr

    ocomm

    thebat

    excel

    dbeng50

    agntsvc

    msftesql

    ocautoupds

    mydesktopqos

    thunderbird

    mydesktopservice

    mspub

    powerpnt

    mysqld_opt

    sqlwriter

    dbsnmp

    msaccess

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    36

  • svc

    sophos

    memtas

    veeam

    vss

    mepocs

    sql

    backup

    svc$

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66de053a99d21cdfb67bb5f87ec1ec7405c03ee71f14750a2185f35c90842169.exe
    "C:\Users\Admin\AppData\Local\Temp\66de053a99d21cdfb67bb5f87ec1ec7405c03ee71f14750a2185f35c90842169.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Local\Temp\3582-490\66de053a99d21cdfb67bb5f87ec1ec7405c03ee71f14750a2185f35c90842169.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\66de053a99d21cdfb67bb5f87ec1ec7405c03ee71f14750a2185f35c90842169.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3848
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1920
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:884

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\66de053a99d21cdfb67bb5f87ec1ec7405c03ee71f14750a2185f35c90842169.exe
      MD5

      b63bf2e4a6a0bc89f8375aa0f6672cea

      SHA1

      2c2ec58749b66d1814f27cbc3e8d845a3e7866fc

      SHA256

      3ea8f71bfb79e6547788eb5f2718d8cfc31fe6d99e15e6a8062406aedfcdfa90

      SHA512

      92a96ab7d0e7add812c49013ffc66a4f168becebdd68cf867c7d2655bcf6f2a0bcf1f78199b24b4741d0a832387eeb15ba9ae3c5e3fb0ddcc943e1e084145948

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\66de053a99d21cdfb67bb5f87ec1ec7405c03ee71f14750a2185f35c90842169.exe
      MD5

      b63bf2e4a6a0bc89f8375aa0f6672cea

      SHA1

      2c2ec58749b66d1814f27cbc3e8d845a3e7866fc

      SHA256

      3ea8f71bfb79e6547788eb5f2718d8cfc31fe6d99e15e6a8062406aedfcdfa90

      SHA512

      92a96ab7d0e7add812c49013ffc66a4f168becebdd68cf867c7d2655bcf6f2a0bcf1f78199b24b4741d0a832387eeb15ba9ae3c5e3fb0ddcc943e1e084145948

      Download Submit
    • memory/3848-124-0x000001C000E20000-0x000001C000EB0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/3848-125-0x000001C000E20000-0x000001C000EB0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/3848-126-0x000001C01AD60000-0x000001C01AD82000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3848-129-0x000001C01AF10000-0x000001C01AF86000-memory.dmp
      Filesize

      472KB

      Download