Overview

overview

10

Static

static

10

DomainName.exe

windows7-x64

10

DomainName.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DomainName.zip

  • Size

    98KB

  • Sample

    231012-e724safb6t

  • MD5

    cea56583a631a661e52e48025bf24ea2

  • SHA1

    5b0bb61b6dee9736e374a54f7de6fcbc229828dc

  • SHA256

    01e0a5cc0c30dbdddec8320e4a3e1984ccb296d50021fbd73c26a4b7a17cae58

  • SHA512

    8fc299a87e144ca8ddbfc474055af54e4a3eb6e5c606ab8db1cf209cf64c556b4a4f5fcaa0f8eaa416a1ccf8eb664b75d68d9700c06d1ab695449cef406115c1

  • SSDEEP

    1536:4JrUR4fPKH5oTR6YO8fa9LxqBhFxay4XQM8vjn6lDHu0Eqhm0FC0E7QPSn5/6nBU:EXK29TO0aPUkNXf8LnqDO0EqbuwS8BlG

Score
10/10
neshtasodinokibi$2a$10$mkbuaybjn4w3ipqct6e7royxml5sszgubpua7pkuspqju10kb4bma7114persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma

Campaign

7114

Decoy

withahmed.com

scenepublique.net

aglend.com.au

jyzdesign.com

nsec.se

cirugiauretra.es

gopackapp.com

tinyagency.com

crediacces.com

xn--rumung-bua.online

bowengroup.com.au

mastertechengineering.com

kmbshipping.co.uk

homng.net

fitnessingbyjessica.com

oldschoolfun.net

roygolden.com

sotsioloogia.ee

real-estate-experts.com

mir-na-iznanku.com
Attributes
  • net

    false

  • pid

    $2a$10$mKbuAybjn4W3ipQCt6E7ROYxmL5SSZgUbPuA7PKUsPqJU10KB4bma

  • prc

    oracle

    klnagent

    mydesktopqos

    infopath

    BackupExtender

    powerpnt

    outlook

    BackupAgent

    Smc

    sql

    ccSvcHst

    BackupUpdater

    Rtvscan

    winword

    kavfsscs

    ocssd

    isqlplussvc

    visio

    ShadowProtectSvc

    tbirdconfig

    TSSchBkpService

    dbeng50

    ccSetMgr

    agntsvc

    Sage.NA.AT_AU.SysTray

    dbsnmp

    thebat

    onenote

    AmitiAvSrv

    wordpad

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    7114

  • svc

    Telemetryserver

    "Sophos AutoUpdate Service"

    sophos

    Altaro.Agent.exe

    mysqld

    MSSQL$MSGPMR

    "SophosFIM"

    "Sophos Web Control Service"

    SQLWriter

    svcGenericHost

    AltiBack

    "SQLServer Analysis Services (MSSQLSERVER)"

    BackupExecAgentAccelerator

    "StorageCraft ImageReady"

    SQLTELEMETRY

    AzureADConnectAuthenticationAgent

    ntrtscan

    ds_notifier

    TeamViewer

    "StorageCraft Raw Agent"

    "StorageCraft Shadow Copy Provider"

    SQLTELEMETRY$SQLEXPRESS

    VeeamHvIntegrationSvc

    AltiCTProxy

    MsDtsServer130

    ViprePPLSvc

    McAfeeFramework

    MSSQL$QM

    "swi_service"

    "ThreadLocker"

Extracted

Path

C:\Users\3b61kze1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3b61kze1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/671E6736B5450D98 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/671E6736B5450D98 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VzsDeWlyWVQZZFHUHSD41rJNZJMiEqf9LXQ6jvtqvifpXCFQs7ewpQz2gQCQZ1ph zQVP7wI3i8116XeisKXlcV+wTTFOaE3UwGPlfoQbvBYm0To6SIZnw8cc+geqt3Om Gkgh9byw9tzjJ0qd6Sjzc+ElscjL5q6LJjqluz+TBk9wVl2bBC9O3O6v7mg0SMUL Qe7Q94zmob+govBf+u26BFf2RZxsDFXkXFBAn3RStA/dJ7N+LNFdRc4CVPWknQhU y/DxsBHKtOJP2kCJbUCKuCgdbIfp7he9tGZx6lBhajGDg8bF+BxNo9+gfkWDve+u fNM6SjRxueJH/I3gwMzzxrAcVW5DzuD29bX/g8Q25kRcNsK+R/MgNAb1WFnxwEDY t/Kh0hiwahQmYNWY/4stFlbjwAuu/JDuYLPbE3P2O4CTAU6HPJ9VpjVKOgn828z1 1YO/oWzrA7gNEHihtjGNabt/gm8dToMC3JE+yxjvTF05ombkI+o3L9eoYN3RTL/L JcHfOy6zPF1n/LCUiUlwId6E4Tfo5/ZT2oggU7lVZtyAlZo4jreAYke0UqMI1iTG hLGfAT1hgmKYVIemPHDMwkcqwzhy27TPycy87nT2XPZzHJUZu1P72HDK2ZGtxIYd J3O9Re2DMAHdtRkOfb8gpBLOxfSSRL3J5z8zPA5jZf3KdXrqY1FLSdB+cDiCXLao StzZ2GHAOqCCg29Yy4zXqPfnOAKUiJxIt9QaaIEt/kCAkN0p1B3TLjw4vAHeF8Hq ZTrQluxUyIALYPxiHcHaD23DMI1AFDLZt85WMRubsV1AtINvBqnV69doYkx0nBbf 5e97rnJBimx11HIBGx0WvZZrYYr2NhX3qjTY+u8WwcgD5zKAC6zJFWqpylEED7d4 Q+FydzaevXIFfIw/gtRwKjakRWVgmUw6OY2FGamkJD4OPmi0qEVnGugXXJvXgwiL UdZ8B5Oo/wR1Bli/M9BIBsSNcIXRL+qAEgZcXXCnRxhtidv7jsavJHocBk4dLUrW +3c6En1UteMI1s5/fpZz3/VzJ3mx6Is9zS4sbRSKt9c9HG1oCfesbeB8W/sRuGrx JmMr/Wm4qEOgfCtLINMwOVG2z4g4g/ozJARbrufVL9Qq8krqi7bD9F6kdArIYHSG 2D+osfrskoRmTLU45yqkDeHg8LHZpMIiFw8kfwxqOEz07BRYyWp7sorGyck1iIzA Hder4USqde94/gIVmyoYZHlW0KJRU1S9wlj/w9VnoJn3k+8YV+DPGrN1jFkKipXE EGpN9hgDtFGF9S77r62LNjjglUgAiRuFLkgZCiYqwAozzvSybBb61Ba2Yfz36lzx z20hR1AeiOeGh1Nt27vFT6hDQN3ZW/xIy1k= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/671E6736B5450D98

http://decoder.re/671E6736B5450D98

Extracted

Path

C:\Recovery\75853c-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 75853c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). =========Attention!!!========= Also your private data was downloaded. We will publish it in case you will not get in touch with us asap. ============================== [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D8E91A9E20C05975 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/D8E91A9E20C05975 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 27z07yDQJjxQE5DnULNTqhtux9oQEEkpDEGGwdSVQ+8w2MmDmFVT83iC2T3H9A9y jejx9B72c/dQ3hlAv9MFcq2jOvDfS8hNGg0PojkjWJogQ8JWBqu3lnNOG+LyPyB3 x9NcBPaCdf9AelBSdNYplbEcej+FVClbdG9aqeL1PJdjmqpjbT1UycdegvgkTWQp pmzKYhR+H6eENAiMJuaHQs8V7BEXxgPdKVbs4AqFLn2NqH+tlEkhVBcjkPwrhCJm zGTH1al0xu3zQdQXwHaSVo/R+TfsBLsvBMyq7xYFrCWrEPUfnb/b6Q90pGH69rph yp6BuLFmq1eDVxOxNRuQ8h+2mxOIllakzle86RwpJQUHKvbDhXXMr8ZebTgHDLij yHjhYtOwzjE8X1D1FwEITX0xQjgmqp5Dw8L+gRO0N85g4/y9LQa0PBez3fmFOF6G /OuR/bJWKvuXGca+5XLj5V+U/K5QJn+PkNLLp7tq5AEV1CQqQJ9GiHJHJMpsiwof G80WT2YtuB6YMM8H6Vjo1MpNgZUIMtObR1+94Uv0gwmuvptX+ccOftN3u211S5PS srepklOausR+jlrXkjzGoDEO/KVbDoXfajT0QQ3blWBpVYHsviGhJbHV1LfEaljg PMLeudOTK6XKDYxeIOl3acbj6kpAViABqx46E+DKsynDE7Eb+2lL1+Y/czTs3zjL liKwbMHG3pV5QUiU5N5AVG1iu+qOLF3JhDf5i5rt/2DMwDsKNmTTqOdpdl0yOxfl mItBNJD1Y1wF/o1NeyiGbvtSaZDfg3F/UFY2Lll372AdN9D+gq72JIrwgcAvgtle DleoQyBVtKyE3Du/8BL5ClJNiwakLCeXupJjOYmOEYg7Y5HUKYfx5Ne11fhO62wu I202Jft+K5Q8fsGpxcVlq6RbdwFNzMVnPb3hexVD4VaFwAP9Xv8DLsvZV7L1w3aI F+qO05lbHU3eWJJ0EzzIcA4pZ0Z22dAM5hgDEzx8cUWHM6gh2eWmbllVVo+ZjCB7 OXKLgRqNt3v0rommDHZdOurAh52ue5l2OFMZzFfOVKSgY+ujqWSHK4xUc1qpHqP0 a12wToF4V2sCURKC54iOcO/hcKAxCU70nONNQwOaLdV7li2A54yvJPDzSJd2W790 cjyYPb38yzncYqu88baIHskWISlwy17cE3055DUfm9PYiCH/AbLnM/FDk39eh12a f0hXWAtQZIF/HsSfcmoZQvUp1vAdC/hAo7ITJ5Cf8jQcUay70ZRO/XuuJfX2mVcV I/UrMyY8bqFf2aYrv27+EYB0+nQsFAFhaqayyD7Ajk2hTGzNgEpbBPvRObrSXHA7 Ztm/75SV6QXGBC3+F2sOFTBvwh/ehv2gbEkpuw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D8E91A9E20C05975

http://decoder.re/D8E91A9E20C05975

Targets

    • Target

      DomainName.exe

    • Size

      160KB

    • MD5

      6023d7082c077af7f45ac812a576f113

    • SHA1

      74033be723ac674bc8244cd33410f778ae275ddf

    • SHA256

      9cf2bb3ba92b075e1a53d6a03461bc5d656a744e891683d20650c4e4515b9201

    • SHA512

      46100b5053a7f2a42d9fd05791996f6e0289cd5c0a2e47c1a911ed190e00745c4ac733a937a4e06068118673b72a1c189c73423995d177777b38ed7a98ce3627

    • SSDEEP

      1536:JxqjQ+P04wsmJC6pzK88ICS4Aer9DIPcG5zXbwMcClFyFfjRto2+i0BH8A4krBJC:sr85CuZE0cOzbwMflEBPoq/LPrlA0

    Score
    10/10
    neshtasodinokibi$2a$10$mkbuaybjn4w3ipqct6e7royxml5sszgubpua7pkuspqju10kb4bma7114persistenceransomwarespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks