Overview

overview

10

Static

static

10

NEAS.17d15...67.exe

windows7-x64

10

NEAS.17d15...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2023 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe

  • Size

    164KB

  • MD5

    ca337c7130eef4f4ff8e8a4a8ec28647

  • SHA1

    28558e35d3f9af01fe438eba7fba1c38201c86de

  • SHA256

    17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467

  • SHA512

    60b9b7841a942a6bcb700872b6ff1353fd282a7b318d6ac8d47e419573978aff43c961436a2fdb6a076e81545ef9759e7848fdc9eaa5a571638ab19d666a1c1c

  • SSDEEP

    3072:LBVn11HzIOLbi4eTMlwDCnun4XbZIt+ypUF:d9jzvbnWJnu14p

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\bv0khy49-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion bv0khy49. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C145108830592262 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/C145108830592262 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WvoHtHxCkxZoSMiNa2akN7oaGEMIOCZV7vHK9RnM61D74HW6D4R0v4GzCqJJyHAw TwDcylv9aUEORDKPTDPSjUBhF6asH0x8VCQ4c6nnAj8x/eOtiTaF+l3Pak1CIChA sOZc7aftwUReIrX51+0ZbTXGrrwpwmLMVJ0VmRPPbcjNjajcTPbKHxRvwQ8zYJp6 loJYMLKtgH5DvD0/SnndQMxBk/I226bEUidpFXlF2rxXfeRSRCz/Xbmw1p8kuSAP 8thaVMYzQQuxXUmv1Wqd1DVqdHNLpbnYLWKRdKud5hJ/8WhKgNUWeg0jHmuwC6en JTkVFhuADX4+tcv+7JQBbFo+SOoYv9BDVdqBd50CG5KrcGGZz7rXPKNLtE64WFf5 fb78CL1kkMlkOYs7WmzpzHq09OyPZaMeOHf7jCm5EyYKj5zCa5O7YVX0fofmi3PI 3h/imVcWp+CcF1wcVifKiwYZXHn5F/oQaFWGz7vklZ72c96ww8ppFhTm98+8c1fT l9f91mvqwvqJosa9r3vJYjKWuWI8KeDWbMl0LdzTfk4LiUVk/AyF3R1/Xbi0vjsD sk66mDweZSfA9/X0M0/5j/rjUje+90wlOAeOzqd1nXWVeqSjULD4KeVsAeNj8eqw sfac2At3pWHWjraXW1IFRGoEnd8LiTNYDoqskaNcSRwmG73TkoYMyAf+JY5MfyF5 VVYfT0mp0Nvc+mPtK29TCHfiQmfslvYyLcAX5dsCUeyF5x+ex0MOtCSNxbYwSUfy Oxz9eMV8bfoEpf56fMosGj+8PBg7hkohTxSFO0u9dYiyplXJToFw3vziHeeebhQo mL2+hzrBivb7QyAFkfPOkkZVSsvq9NvDI/iOZRDo9Bf+vrziRS1OmbQkwLg5bclF Bhlmdt/1oJvrN7N6aH1zhRptAA0noGnvFupXKW2f7QZWyJzbhyVJjTpI2D5z2agi VOGlv/SEsnyfS54IWr/cfh17emFiDo0Hqaborqy4VzDZa4CG9Aj0UhEGgm9PAdxT ioYDfkiK9eGuiOLjFSUJG8DX6TXd8QIIKJn7ZDmQ92PfXsbJ97U3ZsHotFzbZsjf 37Cmye/1cLfw7ORRVgwb/Bmti+fmi1FvtlZyLKMjCRkIBozrcnIB7pSi/cCZoEy1 GK394D61B0Y3RPq+lrwMCXiWB0wE07P2IAupCy222PVuZCuiUbXAAjIQ4vQjVjfo 5el8DxTeACAB3TMD3WE= Extension name: bv0khy49 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C145108830592262

http://decryptor.top/C145108830592262

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 37 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.17d153a225ea04a229862875795eeec0adb8c3e2769ba0e05073baaf86850467.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2636
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    30c1a80375378f74ccc4e1aa4b01968c

    SHA1

    abe06109d83f8e5e0bce117874fe05d1b6f13923

    SHA256

    2f3f091a67d9ba6ba0adfa6a77196c81c19f2d8ce9ba3c9c29bc3dc546253bba

    SHA512

    ca534d5b23d82f7f2870549af897742bbd9abd40bbc6f79591e7e78698fbd09a8008c0cb25f00aa29a2d85ee5242432ec0c6c777f6e2de78f3ee1985e6518e95

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab39F6.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar3AB5.tmp
    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    Download Submit
  • C:\Users\bv0khy49-readme.txt
    Filesize

    6KB

    MD5

    2dbb3ea4445b5a7f819115d98e2ee1b0

    SHA1

    89dc36f152927aafe932f1c238b0e17b0d61cbfd

    SHA256

    9ad8aa4f82b37db9060dcefdd9e531119433c1e9a888b00bd8c668a98c10ca37

    SHA512

    95e608e91b991c612f976907170a0eb318bcf714619699d8f3bb06bfb1b88aea3f64a32066bd54c60add6df348e3cd6b5f7a10981c9a595333a4cc15210eebfd

    Download Submit