Analysis

  • max time kernel
    140s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30-01-2022 07:55

General

  • Target

    2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe

  • Size

    198KB

  • MD5

    1499f5668b9971a2c09dbb3fd01f269e

  • SHA1

    eb6a8963cadc485d0cd0ebfd06e64f8adc281409

  • SHA256

    2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c

  • SHA512

    7fc7aa1bd276a6fcbe3ca851ee488627a3d87488b6641a665dde2ae6cc5de814c42242f47bba10cd4c8edf1b307edbebd28b0c8401eac1a9b930fc15161240aa

Malware Config

Extracted

Family

sodinokibi

Botnet

13

Campaign

49

C2

baita.ac

chorusconsulting.net

enews-qca.com

epicjapanart.com

eos-horlogerie.com

altitudeboise.com

topautoinsurers.net

grafikstudio-visuell.de

nutriwell.com.sg

yourcosmicbeing.com

alpesiberie.com

chris-anne.com

dcc-eu.com

greatofficespaces.net

grancanariaregional.com

outstandingminialbums.com

ebible.co

wallflowersandrakes.com

inewsstar.com

therapybusinessacademy.com

Attributes
  • net

    false

  • pid

    13

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    49

Signatures

  • Detect Neshta Payload 15 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi/Revil sample 5 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
    "C:\Users\Admin\AppData\Local\Temp\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"
    1⤵
    • Modifies system executable filetype association
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2a995ca24af128edbd324bd501c205e8f788e78a0febd23b4f9249e6eca1825c.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:576
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:1820
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/868-54-0x0000000075761000-0x0000000075763000-memory.dmp

    Filesize

    8KB