Overview

overview

10

Static

static

10

DomainName.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DomainName.zip

  • Size

    98KB

  • Sample

    230922-qvmn4sgc6z

  • MD5

    cea56583a631a661e52e48025bf24ea2

  • SHA1

    5b0bb61b6dee9736e374a54f7de6fcbc229828dc

  • SHA256

    01e0a5cc0c30dbdddec8320e4a3e1984ccb296d50021fbd73c26a4b7a17cae58

  • SHA512

    8fc299a87e144ca8ddbfc474055af54e4a3eb6e5c606ab8db1cf209cf64c556b4a4f5fcaa0f8eaa416a1ccf8eb664b75d68d9700c06d1ab695449cef406115c1

  • SSDEEP

    1536:4JrUR4fPKH5oTR6YO8fa9LxqBhFxay4XQM8vjn6lDHu0Eqhm0FC0E7QPSn5/6nBU:EXK29TO0aPUkNXf8LnqDO0EqbuwS8BlG

Score
10/10
neshtasodinokibi$2a$10$mkbuaybjn4w3ipqct6e7royxml5sszgubpua7pkuspqju10kb4bma7114persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma

Campaign

7114

Decoy

withahmed.com

scenepublique.net

aglend.com.au

jyzdesign.com

nsec.se

cirugiauretra.es

gopackapp.com

tinyagency.com

crediacces.com

xn--rumung-bua.online

bowengroup.com.au

mastertechengineering.com

kmbshipping.co.uk

homng.net

fitnessingbyjessica.com

oldschoolfun.net

roygolden.com

sotsioloogia.ee

real-estate-experts.com

mir-na-iznanku.com
Attributes
  • net

    false

  • pid

    $2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma

  • prc

    oracle

    klnagent

    mydesktopqos

    infopath

    BackupExtender

    powerpnt

    outlook

    BackupAgent

    Smc

    sql

    ccSvcHst

    BackupUpdater

    Rtvscan

    winword

    kavfsscs

    ocssd

    isqlplussvc

    visio

    ShadowProtectSvc

    tbirdconfig

    TSSchBkpService

    dbeng50

    ccSetMgr

    agntsvc

    Sage.NA.AT_AU.SysTray

    dbsnmp

    thebat

    onenote

    AmitiAvSrv

    wordpad

    msaccess

    avgadmsv

    thunderbird

    BackupMaint

    Microsoft.exchange.store.worker.exe

    CarboniteUI

    excel

    SPBBCSvc

    LogmeInBackupService

    encsvc

    ocomm

    sqbcoreservice

    NSCTOP

    mydesktopservice

    kavfs

    kavfswp

    ocautoupds

    mspub

    xfssvccon

    DLOAdminSvcu

    synctime

    lmibackupvssservice

    firefox

    steam

    dlomaintsvcu

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7114

  • svc

    Telemetryserver

    "Sophos AutoUpdate Service"

    sophos

    Altaro.Agent.exe

    mysqld

    MSSQL$MSGPMR

    "SophosFIM"

    "Sophos Web Control Service"

    SQLWriter

    svcGenericHost

    AltiBack

    "SQLServer Analysis Services (MSSQLSERVER)"

    BackupExecAgentAccelerator

    "StorageCraft ImageReady"

    SQLTELEMETRY

    AzureADConnectAuthenticationAgent

    ntrtscan

    ds_notifier

    TeamViewer

    "StorageCraft Raw Agent"

    "StorageCraft Shadow Copy Provider"

    SQLTELEMETRY$SQLEXPRESS

    VeeamHvIntegrationSvc

    AltiCTProxy

    MsDtsServer130

    ViprePPLSvc

    McAfeeFramework

    MSSQL$QM

    "swi_service"

    "ThreadLocker"

    ofcservice

    AUService

    sophossps

    AzureADConnectHealthSyncMonitor

    Altaro.OffsiteServer.UI.Service.exe

    "SAVAdminService"

    ds_monitor

    ALTIVRM

    SSASTELEMETRY

    TmCCSF

    MsDtsServer110

    "Sophos MCS Client"

    TMBMServer

    SBAMSvc

    mfewc

    "Sophos System Protection Service"

    MSSQLFDLauncher$TESTBACKUP02DEV

    VeeamDeploymentService

    masvc

    backup

    MSSQL$SQLEXPRESS

    AltiPhoneServ

    MSSQLServerOLAPService

    SSISTELEMETRY130

    VeeamEndpointBackupSvc

    mepocs

    Altaro.UI.Service.exe

    "ds_agent"

    HuntressUpdater

    MSSQLFDLauncher

    "Sophos File Scanner Service"

    SQLAgent$MSGPMR

    ADSync

    KaseyaAgent

    ReportServer

    MSSQLFDLauncher$SQLEXPRESS

    MSSQL$HPWJA

    KaseyaAgentEndpoint

    VeeamTransportSvc

    "ds_monitor"

    mfevtp

    MSSQLTESTBACKUP02DEV

    SQLTELEMETRY$MSGPMR

    ThreadLocker

    MSSQLServerADHelper100

    veeam

    tmlisten

    AzureADConnectHealthSyncInsights

    "swi_filter"

    MsDtsServer120

    ProtectedStorage

    VeeamDeploySvc

    memtas

    ds_agent

    VeeamMountSvc

    HuntressAgent

    SQLAgent$SQLEXPRESS

    bedbg

    MSSQLSERVER

    "ofcservice"

    VipreAAPSvc

    "Sophos Endpoint Defense Service"

    KACHIPS906995744173948

    DsSvc

    MSSQLLaunchpad$SQLEXPRESS

    msseces

    macmnsvc

    LTService

    Code42Service

    Altaro.HyperV.WAN.RemoteService.exe

    LTSvcMon

    MSSQL$SQLEXPRESSADV

    "SAVService"

    Altaro.OffsiteServer.Service.exe

    "Sage 100cloud Advanced 2020 (9920)"

    Altaro.SubAgent.exe

    mfemms

    "TeamViewer"

    "SQLServer Reporting Services (MSSQLSERVER)"

    VSS

    sql

    Altaro.SubAgent.N2.exe

    "SQLServer Integration Services 12.0"

    SQLSERVERAGENT

    vss

    "Sophos Safestore Service"

    klnagent

    "Sage.NA.AT_AU.Service"

    MBAMService

    "Sophos Health Service"

    SQLBrowser

    MySQL

    "ProtectedStorage"

    "Sophos Clean Service"

    "Sage 100c Advanced 2017 (9917)"

    "SntpService"

    VeeamNFSSvc

    KAVFS

    SQLEXPRESSADV

    KAENDCHIPS906995744173948

    sppsvc

    Amsp

    psqlWGE

    Microsoft.exchange.store.worker.exe

    kavfsscs

    "Amsp"

    sqlservr

    Altaro.DedupService.exe

    svc$

    "ds_notifier"

    "Sophos Device Control Service"

    AzureADConnectAgentUpdater

    AltiFTPUploader

    "Sophos MCS Agent"

Extracted

Path

C:\Recovery\7a95s-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7a95s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA68B5D22BA84E39 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/FA68B5D22BA84E39 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fpbEHVKPkFC7R06Fii6Oop6ZFa2q0ggdFCB4benU3o5wuxyr/Juk1kmWIF00TD/L higMyhXaVgpi4grOCCtquNOOc5YMqQYpunub5xdEuEvmBSUn2XTgr43mOYWLjP/9 e3QbakbpF5/7TzmJM/NpTi4dc7myYVOLTnX94bEx7xlglANR0TDtVvv6TsZc8o4r ID9j8qZ8VZ7Uily8T442rvCfVQEsBnPSvaC+eErNIuCt5jFytFWryJwCh7SYKN+S JxuiCF2fs9hLcFlvJvxUn8yrtolSnBP1YnkD7Qx38tDB4nNVUUOSYK4seIK01u/j yRZ8fKzAel0m0XScDeuTNz31OwYdXHLeJr+FPQV1TecZ7+4pVQrWtDWw8UBiLReT /NsLTPgvFTX9rJ1baGhZXL1K266pnY8T/WIlOs4ze0Sv0iqj1KnQ7dIkh8q/sdme FsqCDtaLRsjG85NH0FnpWYV/vIE9hfYMbGTJgESqNdc89OctRiid6OrYfyPCch35 ixOpzAAdzCsybmHVfaKvCMH9eJCJ1VhXrViTUP3l3Nb95ENhK0u5ZhNgJouC91rG tcu+Lg8kMmHSPWISlxGncoq6kE4sv9VkheXH2K5ieKWuse/0ukTpZEwXhk1bRlt6 D8cVoqT2ZaDdu4GXUvuBZt0k5iwL2xi03EKMFU+xXPpBzZqt0bNg3g3qfauJ7b89 zN9F7RosNnhFygpMn8JAfqqOjBKWaiVFRQSjbk6a8b0l8eBw2N2aKKNGhqutWI4u UYcqJ4k5Q7tLGCvkSqM743Eegqv/JrosNK4MN2hGN9Ogm31Rr8FQX6GefJHa0idN u9u2IUJks+DVKYPd3ZoIhUcfTevFKqFPkKgy9eUBHXmI4dzjalLLnnYTsxMXL8DT hxmMAxLd1tW1dSUfvuba+qY44bMmBs3FJZtBqFQhrAoSYTbRZ1IKi32aM1VbUrN1 BOjnyA33/3oSAug47wxgC92RNnno0ZnRPaVDip0xe9OOvFkfHEatqW1KoE+ysNGc IXAeVYAK4YFG+lj5RrIWoBj1POIgPe1DAM94oBl2AaKm4MvNWWWV+XlNDUw5M7zZ 99oipRgzSRx2NGqPWbBQ7mBu8pfj4/8p+rKlKSWFyqfBEAGsfUeKkVx81leqg2sP ZVG9uZyl1aY+Y0uLcm3BNE8QuAzKZwfgyzdJa+Nlstl+tGJHSDFFiNB97omN+36n mCgGR7/hFelaXtcqjZACuUBpBYOiVac2W6VHWwlNsUOd0VO7nh75Z5Tr2NvSHkBG /mceDn9BEYo0zZwf2LJGQWvcqkZcU73X9SuJINR2SodZXTuFjmoWLPG3Lp95cP7w YRS0uMkrvz1BlkdoUzhixfF0d6vCaURxvMM= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FA68B5D22BA84E39

http://decoder.re/FA68B5D22BA84E39

Targets

    • Target

      DomainName.exe

    • Size

      160KB

    • MD5

      6023d7082c077af7f45ac812a576f113

    • SHA1

      74033be723ac674bc8244cd33410f778ae275ddf

    • SHA256

      9cf2bb3ba92b075e1a53d6a03461bc5d656a744e891683d20650c4e4515b9201

    • SHA512

      46100b5053a7f2a42d9fd05791996f6e0289cd5c0a2e47c1a911ed190e00745c4ac733a937a4e06068118673b72a1c189c73423995d177777b38ed7a98ce3627

    • SSDEEP

      1536:JxqjQ+P04wsmJC6pzK88ICS4Aer9DIPcG5zXbwMcClFyFfjRto2+i0BH8A4krBJC:sr85CuZE0cOzbwMflEBPoq/LPrlA0

    Score
    10/10
    neshtasodinokibi$2a$10$mkbuaybjn4w3ipqct6e7royxml5sszgubpua7pkuspqju10kb4bma7114persistenceransomwarespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks