Overview

overview

10

Static

static

10

2650b2c6e6...50.exe

windows7_x64

10

2650b2c6e6...50.exe

windows10_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    176s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe

  • Size

    207KB

  • MD5

    8617cf6577b2020b9251a898a98308af

  • SHA1

    c4d7436ab085a6113c4d77b8765504d42a66aece

  • SHA256

    2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50

  • SHA512

    1b11cd0de765f97be892cbd8b3d244dd7fd226af2c9f8ddd523aca293c80ca22ec437204ea7f018ca35d9c2cfa2f270c928c5098db5184a8640204a610bb5426

Score
10/10
neshtasodinokibi$2a$10$masqyzcs2s.gezywrfoojui4sirqdq0fr0z6ikbeb4edgqpwynyjq3385persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\w0o9n-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension w0o9n. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E2B975C6815AB259 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E2B975C6815AB259 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: DklhphJ2/qYNA47SGLunjGxN68XIQ80crzGxtCP+S2t273+qR/rkXfOpFiHNvcBD QnhOA0q2Lv2PPmG17uVrK6DWqY4fE50IeRnuK+52IqCK271KT5RP6StpNc5KGyHw Cb89uwlFZEhz02Doah+PEaA039m+OxUCd5P1vwXUmHM0hZF1Pu01qytj9G5i7FeO wMb3Md3ncnkkiPVM8qMCVXE8k2qQgbw/92xKiV5xCCLoq31ljVAzj8l4d29OIzBU V8o7nRvIQD243wxOqCt0lqf1GSb9ctSXXa5VDjCmJA5vRw9MeM71kTeyXn+dpKH/ XmFweHAZShwST3NU63+e6Y2rzQRYh8rfQxf30dcOOxztJTgu5vswiIIL+tvuZWTQ g0Nx5zMverN6RP9KXsXWppv4o+BNIC5qw4BGvuT5uvMeDcsebTpgMhJe3mSNuIId NoreLNgUBtA46DgfAVe8I93HaYIMHiiz2urMJArRqSL4zi3b27Sbai40rqWhemR/ 93dq/CTlLDt0ESFfD6YricGE4WY3m5VouOLy9ulP7kYEf+ejguNv0MIQyjEkbAHn /kCf1XSFQ/4JrYyjvUcE0iShdLfy/w4yAFMN3eYE4YwknByTeAukdSDJjWYoLxVI pvMNLJAMOqJdsnUoef6QTZ2y5F2WQJwP+kgdCDn8tng1OM1Id+ngv/Vb7WCONp4c c9uqKnYagziB8zK7Jx5raF20GuFsT7xvF2iREzt0DT3j0E51d0NAF0zmOTiIXLaP JlinyozvLnN1odhADUTZsIt/iOejxCXEUNSqX5FWMywM5GJrVa4cIjNafcMlxood tr0bffLrOgJMNfyRMOg9bMyvUlEgc4c5hM2IwetmC5IGmFBdLn2KCIMZgbS74cbt BX0W6gh9C2DaaccztThzuCNYGh0gxqKAq2nU/XotA/f8qjSC0eeMNjmxT5udwrcS ae9PVaoGTuaOn/lf459Vh374bYivrknOD+REwEZfQppVYyt3zuVgFoT8Uzx9cTD1 8CAnwW5E9o+byeRAEGk3on7a2gEWQMedrGej6avG98sChqUczELyz3wiFx7VcW7l W2/aQHpViqYeXOMZhDasLoXcjaRZdZJO/kpEk9VnovpeTwuteyPO9fHPBC1lg+CH g81an8jwKWrO6rWPwK7jH22GyZulhsr41ZRnBFErcJ+bp5wcw7HBvUe784qfbmSI h1EvqGXqszbDRCNUItoOZeNiY5vfX69WiGudkB9k72nH/tc9vgwy6TVN+UNnjgLr KZb1PjyEJjj1gRPMsW0= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E2B975C6815AB259

http://decryptor.cc/E2B975C6815AB259

Extracted

Family

sodinokibi

Botnet

$2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

Campaign

3385

C2

balticdermatology.lt

liveottelut.com

michaelsmeriglioracing.com

spsshomeworkhelp.com

campus2day.de

madinblack.com

tanciu.com

agence-referencement-naturel-geneve.net

jakekozmor.com

tinkoff-mobayl.ru

myhealth.net.au

maasreusel.nl

pmc-services.de

evergreen-fishing.com

noskierrenteria.com

galleryartfair.com

importardechina.info

trapiantofue.it

tux-espacios.com

ecoledansemulhouse.fr
Attributes
  • net

    true

  • pid

    $2a$10$maSqYzCs2s.gezYwrFOoJuI4SIRqDq0fr0z6iKBeb4EdgQpwYnYjq

  • prc

    thunderbird

    thebat

    msaccess

    mydesktopqos

    ocomm

    ocautoupds

    outlook

    xfssvccon

    wordpad

    encsvc

    excel

    agntsvc

    sql

    winword

    isqlplussvc

    powerpnt

    ocssd

    dbeng50

    synctime

    visio

    sqbcoreservice

    mspub

    tbirdconfig

    steam

    dbsnmp

    onenote

    oracle

    firefox

    infopath

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3385

  • svc

    veeam

    backup

    vss

    sql

    memtas

    svc$

    mepocs

    sophos

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
    "C:\Users\Admin\AppData\Local\Temp\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2404
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:504

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
      MD5

      340b6f816bfdcfcb466cfc126c976844

      SHA1

      e2e3adfcf621166a9f5bb7ee9795b7914cda2095

      SHA256

      3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57

      SHA512

      3e729878fe7ae2ea2f025d71d78226ddb5930b791143eb8c4ba4a7589d5944e5b0e37e8ffe1ea4983bbc66c71587e3a4b158b3e8a2b71ccbed2889c4778962f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2650b2c6e689cadde5c36b99111d01b2dc0e02c32f3891a9365a6cb6c2337b50.exe
      MD5

      340b6f816bfdcfcb466cfc126c976844

      SHA1

      e2e3adfcf621166a9f5bb7ee9795b7914cda2095

      SHA256

      3cff33197edc918d47d08f44d6ddbdda157337f0ad58288d15746cf72c0e4c57

      SHA512

      3e729878fe7ae2ea2f025d71d78226ddb5930b791143eb8c4ba4a7589d5944e5b0e37e8ffe1ea4983bbc66c71587e3a4b158b3e8a2b71ccbed2889c4778962f9

      Download Submit
    • memory/2688-123-0x0000012E6E100000-0x0000012E6E122000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2688-128-0x0000012E703A0000-0x0000012E70416000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2688-135-0x0000012E56050000-0x0000012E6E150000-memory.dmp
      Filesize

      385.0MB

      Download
    • memory/2688-138-0x0000012E56050000-0x0000012E6E150000-memory.dmp
      Filesize

      385.0MB

      Download
    • memory/2688-142-0x0000012E56050000-0x0000012E6E150000-memory.dmp
      Filesize

      385.0MB

      Download