Analysis
-
max time kernel
181s -
max time network
202s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:16
General
-
Target
39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c.exe
-
Size
204KB
-
MD5
07dfffd188158429b2d86d28414ad08c
-
SHA1
9cabd968c2fcb9a2c03d444c8cd7d8e003a17174
-
SHA256
39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c
-
SHA512
c8590f51654dafc0f3ac9fd4aa6a33c247d58d2bf5d64bd3157dee1287da71280821054937cd556914d5ed72d351cb3d74026eff55185358460f604bb777ac94
Malware Config
Extracted
C:\80q5d57c-readme.txt
sodinokibi
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/50A5E84A3FA96596
http://decryptor.top/50A5E84A3FA96596
Extracted
sodinokibi
19
99
luvbec.com
eatyoveges.com
innersurrection.com
campusce.com
anchelor.com
medicalsupportco.com
photonag.com
rsidesigns.com
o2o-academy.com
hoteltantra.com
gaearoyals.com
arthakapitalforvaltning.dk
ntinasfiloxenia.gr
eafx.pro
smartmind.net
delegationhub.com
laylavalentine.com
michal-s.co.il
stathmoulis.gr
mariajosediazdemera.com
-
net
true
-
pid
19
-
prc
isqlplussvc
firefoxconfig
oracle
ocssd
powerpnt
thebat64
onenote
sqlwriter
outlook
mysqld_nt
excel
sqlbrowser
dbsnmp
msaccess
winword
dbeng50
visio
ocautoupds
encsvc
tbirdconfig
thebat
sqlservr
sqbcoreservice
mysqld
agntsvc
xfssvccon
mysqld_opt
mydesktopservice
ocomm
msftesql
thunderbird
synctime
infopath
mydesktopqos
mspub
sqlagent
wordpad
steam
-
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
-
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
-
sub
99
-
svc
sql
veeam
backup
memtas
sophos
svc$
vss
mepocs
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Sodinokibi/Revil sample 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c.exe"C:\Users\Admin\AppData\Local\Temp\39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c.exeMD5
1ded173cba5c2992874c2a6e7bf400c0
SHA1c65f1761502be63177d1d4643018eebe63eac9d2
SHA256e8b5044a1fd6342ff6d367595a9e8cac8231c392b587d4ed94c4631d587a7feb
SHA5124192be5d712ee0a8ddf256757ec6851bd51ac5437828c100f8b770567b92e3c8cebbb38121e64455a764d858bc50e957d7ea0c9ffc90351b0b80f638f1d3842a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\39ac4660e5ce9ba6df05d0c4c6459094854421d4604b325fa91a619e0841285c.exeMD5
1ded173cba5c2992874c2a6e7bf400c0
SHA1c65f1761502be63177d1d4643018eebe63eac9d2
SHA256e8b5044a1fd6342ff6d367595a9e8cac8231c392b587d4ed94c4631d587a7feb
SHA5124192be5d712ee0a8ddf256757ec6851bd51ac5437828c100f8b770567b92e3c8cebbb38121e64455a764d858bc50e957d7ea0c9ffc90351b0b80f638f1d3842a
-
memory/684-125-0x000001D8BC060000-0x000001D8BC082000-memory.dmpFilesize
136KB
-
memory/684-126-0x000001D8BC100000-0x000001D8BC102000-memory.dmpFilesize
8KB
-
memory/684-128-0x000001D8BC103000-0x000001D8BC105000-memory.dmpFilesize
8KB
-
memory/684-131-0x000001D8BE360000-0x000001D8BE3D6000-memory.dmpFilesize
472KB