Overview

overview

10

Static

static

10

329c2d6753...15.exe

windows7_x64

10

329c2d6753...15.exe

windows10_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    182s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    329c2d67530a45ae10a9f029079002e63b8d4b047ebfce81c089b36ad63b4915.exe

  • Size

    219KB

  • MD5

    23e2e231d941268aa54c5dbe465506e4

  • SHA1

    7d7508cebe74f05abe64f46fdd74c8f7a2130c53

  • SHA256

    329c2d67530a45ae10a9f029079002e63b8d4b047ebfce81c089b36ad63b4915

  • SHA512

    fff902956992c68f2db01b5ed24802790834abae0aeb445e417144b54002887b8d132f083fd47239293fe858e239d1154f262e909ff8bba83ff0539f7a0d297d

Score
10/10
neshtasodinokibi1935persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\5y36n0-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5y36n0. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DA1AE2C74440B033 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/DA1AE2C74440B033 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: BMybeUsEx2i/Nfkr7cZt58AaI954HR4PRwKYrxJ4ze6Vm4KFVI5bCnUU8J1FK+M3 pTQFLqkfsT8oo0aml3UoH767Q8HVrna8Dgn5AT8CDOBzi7NQajw3Kh0M58rlhDLA 4kLQMV5B9n4E1H4tprISVQM3VsJs3zt9LXg5MEg2SSt8IGW2CKlDO4nnY/+7jhjI i2KZb6sL4Xz17n8hZqHrcRWaGsqAtoLeKsnfdRHxv2gCc8bt8XDXmJEZ3Q497agN cNgRbEBYuCGw6qptsTaF3j6jtBhXeSOp9NNI5Jkh4dax/6nkKDB3ZJ7j193/qlka cT9tjVgmVYbeD5WnKqw1aTQUh3RLitXd8aHT3L+C165jlmX/Yoqb9IRBJha8Dg8N /+DetRalZ6zlo1hF0+xnall+V2V1Iwh8UWv6o2lSlvURBlSzevBZ7Q5GyoDfWtiU yobsv98QerKcgA+H2usJ0+UWCWVsftVF13NTTRFqU/3F8qJjqvqOzEcdtpft8lv8 Ynhqw8YwBE6cLTMM9T2bWyUj/G5X1zBITB5L1yyUgV4bJfrONAkLe1yCqpZoIhUI w7KByttxgQ1MfFTU3lkeqc0vq+zLw0MdZGT7NRATgF2eeduI1Tb+PCVekthlx6oM teW6G0BONqlZ2Z6R+zElqPvJXQbIqYLL7h2A6+QtjdbTviPVR1wbEtvZCD7n+hzh 0UuW4d4kS4k2XcFpjW5/knBEalzOhxjxa/C/JTnzF+k2HljkvXiDwFaF1IRd0TVX 9nELhqaowAWzi3HvNl6LxdU7GSqCS12hHcBZg0qKCXhivxxb6g6YTDvoVqqKwNua n8WbrUVWbhOCSNdf0HTm1K90V9K+UnrHREIxbB/klTJbY39Tknn8WmomW9s6uuNC uuLYbQG/zgcvVyb6IJbLxO1nNLgLbdM3Ic3BY02M6i0o7jgwUFV2PJKHYXTQcnm7 AdoQgfHnYYVAl/YtxAhC9Z+UqnVfvCWm+ZUmVsKucB0XJlzw9Hy2g3S7et2Ogy0O tlrJ2JlXHy4qbMWWQ2tOgvbMb6Q7diaGScQ7E+cNxqN9fH7wKXpMs/HXNm0aJ9D7 qfdm4WaLBhXNmiTsQmAqnMQY2wLUjoYjL8lQYZZgh86TP6stuOBeBg== Extension name: 5y36n0 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DA1AE2C74440B033

http://decryptor.top/DA1AE2C74440B033

Extracted

Family

sodinokibi

Botnet

19

Campaign

35

C2

ufovidmag.com

daveystownhouse.com

profibersan.com

trivselsguide.dk

achetrabalhos.com

centuryvisionglobal.com

zaczytana.com

putzen-reinigen.com

maryairbnb.wordpress.com

ncn.nl

utilisacteur.fr

vdolg24.online

livelai.com

opticahubertruiz.com

brisbaneosteopathic.com.au

liepertgrafikweb.at

lifeinbreaths.com

ronielyn.com

ultimatelifesource.com

markseymourphotography.co.uk
Attributes
  • net

    true

  • pid

    19

  • prc

    infopath

    isqlplussvc

    mysqld_opt

    msftesql

    mydesktopservice

    sqbcoreservice

    ocautoupds

    ocssd

    mspub

    dbsnmp

    thunderbird

    mysqld

    oracle

    thebat

    sqlagent

    tbirdconfig

    mydesktopqos

    wordpad

    firefoxconfig

    winword

    onenote

    sqlwriter

    xfssvccon

    ocomm

    outlook

    synctime

    sqlbrowser

    visio

    mysqld_nt

    msaccess

    powerpnt

    encsvc

    steam

    thebat64

    excel

    dbeng50

    sqlservr

    agntsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    35

  • svc

    backup

    memtas

    vss

    sophos

    sql

    mepocs

    svc$

    veeam

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Sodinokibi/Revil sample 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\329c2d67530a45ae10a9f029079002e63b8d4b047ebfce81c089b36ad63b4915.exe
    "C:\Users\Admin\AppData\Local\Temp\329c2d67530a45ae10a9f029079002e63b8d4b047ebfce81c089b36ad63b4915.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\3582-490\329c2d67530a45ae10a9f029079002e63b8d4b047ebfce81c089b36ad63b4915.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\329c2d67530a45ae10a9f029079002e63b8d4b047ebfce81c089b36ad63b4915.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2264
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3880
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1452

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\329c2d67530a45ae10a9f029079002e63b8d4b047ebfce81c089b36ad63b4915.exe
      MD5

      8c1561ca54045cb6934c62711e16e6fe

      SHA1

      6708d111176432e753f3564b2ad7c0233408d739

      SHA256

      67a1130899695f2a2afa490ac62d6641c6bf0dc5dd3a63e786e806454214f36f

      SHA512

      58951d028c7c7acfe8f5c5936b625e2f49bda8455d25da9fd446bfa016b5501ea5d29de323d9dee179bcdc2dd75d9e1b78fd489c9b9fc965de35862535b883ca

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\329c2d67530a45ae10a9f029079002e63b8d4b047ebfce81c089b36ad63b4915.exe
      MD5

      8c1561ca54045cb6934c62711e16e6fe

      SHA1

      6708d111176432e753f3564b2ad7c0233408d739

      SHA256

      67a1130899695f2a2afa490ac62d6641c6bf0dc5dd3a63e786e806454214f36f

      SHA512

      58951d028c7c7acfe8f5c5936b625e2f49bda8455d25da9fd446bfa016b5501ea5d29de323d9dee179bcdc2dd75d9e1b78fd489c9b9fc965de35862535b883ca

      Download Submit
    • memory/2264-124-0x000002A4F98B0000-0x000002A4F98D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2264-128-0x000002A4FA400000-0x000002A4FA476000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2264-135-0x000002A4F7880000-0x000002A4F796C000-memory.dmp
      Filesize

      944KB

      Download
    • memory/2264-136-0x000002A4F7880000-0x000002A4F796C000-memory.dmp
      Filesize

      944KB

      Download