Overview

overview

10

Static

static

10

2024-03-06...il.exe

windows7-x64

10

2024-03-06...il.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-03-06_41daca921d5f2128ccec2e79140627d2_neshta_revil

  • Size

    207KB

  • Sample

    240306-b2hw6sgf47

  • MD5

    41daca921d5f2128ccec2e79140627d2

  • SHA1

    20f6dda39b1e6a82a7ec62b533f740af7c14fc51

  • SHA256

    a50149e4dc2ba462591cf3bc8cc588fe46d772dec69757727880b5dc312662ae

  • SHA512

    c16d04d93a95168f00086f57208c0086d3ab1d60df2b054b103902d3263051d6e80e65ebec5733ca6b14b7f5edba7d587e74514df987ddb8d52c643ffd9573fe

  • SSDEEP

    3072:Ur8lmryy2RjLTuVyu7CJDgoMT3QPWYFQxLt79LFrb30BRtBZZg+i2v:Mt2y2RsQJ8zgPWSwxJ0BXScv

Score
10/10
neshtasodinokibi$2a$10$eexbkjbosgx7rhv9nzhif.mbiht5kcvbthgjgld4p5bskezrqeck.1428persistenceransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$EexBKJboSGx7rhv9nZHif.Mbiht5KcVBTHgjgLd4P5BsKEZrqEcK.

Campaign

1428

Decoy

architekturbuero-wagner.net

socialonemedia.com

nuzech.com

kafu.ch

mediaacademy-iraq.org

pocket-opera.de

katiekerr.co.uk

bodyforwife.com

commercialboatbuilding.com

naturalrapids.com

mapawood.com

fiscalsort.com

baylegacy.com

koko-nora.dk

markelbroch.com

hexcreatives.co

kamienny-dywan24.pl

shsthepapercut.com

destinationclients.fr

shonacox.com
Attributes
  • net

    true

  • pid

    $2a$10$EexBKJboSGx7rhv9nZHif.Mbiht5KcVBTHgjgLd4P5BsKEZrqEcK.

  • prc

    mydesktopqos

    thebat64

    encsvc

    powerpnt

    thebat

    mydesktopservice

    outlook

    msaccess

    ocautoupds

    excel

    msftesql

    infopath

    xfssvccon

    thunderbird

    visio

    steam

    winword

    mysqld_opt

    sqlagent

    sqbcoreservice

    firefoxconfig

    tbirdconfig

    wordpad

    mysqld_nt

    mspub

    ocssd

    onenote

    dbeng50

    dbsnmp

    sqlservr

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    svc$

    sophos

    memtas

    backup

    veeam

    vss

    mepocs

    sql

Extracted

Path

C:\Users\3w6v5q-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 3w6v5q. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BF526BEDCB89A20D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/BF526BEDCB89A20D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: akyUf9eNAKmYcggd8rUuwYtXgC+kTX6Epwqde7a2HgE1BbFpbj7KnEVvyyxjojgI pLsnWZ2x8/jRu1ueyzgkmnULzwUIqdgaD9NG5J51javpZwGAq5ZIV33MJz6D9dwj bYBDGQAPIkF4dy8Qcpk9ovfS004gsVIWJVCKYVn/3gfatl9mtBVqWuZnHC0YjZTf nZye3avTeoHvhcSKvHZvvV6uS2qJKkOup67aW8JtIyrjczQf+hxwIxlBno8ENsH9 hhFVk38FJEn1Q3fZfsALGJB3NIpgNd325MslhhmuYAogILNsEvCEq9sMqx4VE1eX AfwE4DwWdOnTnu6ZgySJppexr5EMeff6ywzoLHw7WmWmnqCwfpQfkarzn/6cBjm7 Gdo4EN7eNf4555xmrhLR0BNMn+BUux/YyBe+QWThKgIosmYSRwPzwwLK6MNKtT4s OW1gsSdLVZ7WhSN9dgKNi6KHbdq/nw/ekJz6dxD6l1jKwZw2taQ4bQci3GsaWZ+T smXp1Eeox/qNyAo/++aLoi7I3heG9pCxTdrZFlRMvUzfFtNClM0qyAC4lRwYks7B 5gJr8rW6zdx+uZ5pB6d2jk+OH1bwR6jBK5ZWlnzg2ETimNQTps2lbtCJVeU27xbi XJD3MWEItO+hj3ppOveQ1xEc5ICPAiHs4DR1ZGsZzRJi5kBWaR1L+gmUC0WDohFq kCpmeZk0O4vnwbIGFwbldDW59tuU6JD1DuxF30qdCi/FGvlg4y8JxhzC+ll1CrUx bnVEfJXay6VpaBS+IyEY5i72DRTFspHA99JfopMF4DKD8x9O/aQyjVRhE0X1Au4y 3OGg+2u6s9JMsy4unLBNZGpx/4wT9mG8QlKR4F76ZBwFhaHk50t1ihDrRb8G1Tsn 9WMJ0vx5Z0z9BxaKZlakP8WOglLCcGtABEBNKwNvhSzleojpKCO+mg2ivZwkBndL Y5AqpmrX1odS5kSAhgjauLxI3rDRZUkmeKkxZjXFXmJyCo4sXKnozwYtPZJlKo16 ALjH0nEmmQAhGQesf8yPd0Zto08xpI7Epc/Br1rl1G1k/YgBL1/y4HXAtwxySWdk U6fZxQlbMO+z5oco46heLoHqmOhcWChOWDRhGSenwvNMijaCjhQrToir3QiskRUk xmflErJEAbBnQHF6/ymenfpu0rhENKCQe63tc9hitLgs1s750anIr6K5R8EzSe5y x4fZBvD861IZuAt2ruiJJEJfQwv1it+kbKi0UbnVNh8b9vxhR8GI8cDo849Bt0IM ENALSZhalgNAkHVopLQ+Rs/W4nGjvsn+/mWOkjvRm+zLtfJ0OgWFkmaUdsQ4rjn0 ypUXXXoow+ogbaphhjmfQgHCUuxBXthauBJWc4bG12Y= Extension name: 3w6v5q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BF526BEDCB89A20D

http://decryptor.cc/BF526BEDCB89A20D

Extracted

Path

C:\Recovery\vqw94kxh-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion vqw94kxh. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AB046526D0C698B8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/AB046526D0C698B8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KEptlRWOWdjdMNLFCAVZ7I6c82CVOcKiRX1/mr6IOrpN8kLpzv1Ov3xjOqWuVAbs 6vLRxRpqxoSewZ55LHQC3klB+uhDON22SmhukJz7hknCgCN4ATpBN62k3cY3tJO/ psA04zVNtC7apIXyPdngerjL7+04OjgInRobQ8PnckicGyIPt705zkEu9xN8Cjrl xvPAWyWw8/5/KgIJyx+nBUhH1aeAiA1P4ekI61yeBzADvX+5DLZPeathLPWx5sKe yc4eCfvTtzr6fVgI63Uw1NNt0moPBhsWtHeK9UlX7hlbCkQTiINqSArs7esa0axJ gb0EqxPesXEQyotBmwMQQzn4Rd0LBOpfbqIQ1MW8jPlPFXTrQw62+8JNnqfX6T1+ zRnZUAmdOBhaP+JNzelQ7JOctcmfm2GqSMySdCqjD3pNZagsNy3zmU8wDaAziHlq 6Qhxxj3CV6gD+8iCJaD7akWuihUrFJdvkLCHT24pXnBt0HT8t9hHYcbYlJVHL2cA JwXDxfyGrZBQRFBvF27qRpTHhFAz1jmOUOrWCbaxU7Xj8AX7hKjP+JVozxZkSvCP wpJ+Pslr/fZRym2I/qbttTMgLT/0brkuWuZsOQsmdlxitM52+pTAR/Mbni5znJvL XjLBqtxVPv+JTnMY3XvgWvLTcBGwdFBEwBo5SCyUOMcp4H5sqcw+VSWNN8dVhF85 GfBHmuMVaKOZgdnrtZWfnUAyJts8/lkDSxkIXXgu1FxVSobreCaYH3O6ILBt0jcv Wx5Az2EgZEO6hgZqWRyRu1/zLhhFlQ34F8CiIHQuRJbN1K6iezQRy6Y8vL8woPid W+FXznW8zow/sME6bmNlvN8VRyAmOMiQ+tFQr5/To5x0afvQ+sVSMKCBEl525dVf JeJXimIDz2Uistc7/HwnXXTmG+obVIVYkUjDH8mydyzPu2Hu/aiA0ouRIVLDpMNJ 750FRyaR6YLmnDXd73xU8SD3F0hgtZYt4RVE7Wx02NP6ggylPdIS9x7Z9v2tPniv CQiopxVy1hzXLqNBu7g2jnfIN8m1fXib3UIPYdgW56cvHzHcwRC+82xAG4FpASDH 56O+be7PV9Qgaf6aAAaC5PzGnGDqUGRMeEVgOx58xk1qI5X7urSCLhmEWFJwm2bS Ye+k071sOaNHCdsk0qYirviOeNR3sThGUjSlLMw3ENz3OZcAdkhb+P9MIdWyaOz+ YsztAhzIM56tPSYm69VHVbdCDA3RMKF5p9jzESkOoFQpcGPI/m6lenltKysLUj3g 6Vj/prLvUG8r5kPAyFZDrxEihlbPWKRR/Ey3qIYsjOo7G1vjbDThtk+JqNndL0tW xZLeJB2w9XD16cyaPGyzHfIXFX9/ctapGC31tSIMh73zdWapNcGCCrIm Extension name: vqw94kxh ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AB046526D0C698B8

http://decryptor.cc/AB046526D0C698B8

Targets

    • Target

      2024-03-06_41daca921d5f2128ccec2e79140627d2_neshta_revil

    • Size

      207KB

    • MD5

      41daca921d5f2128ccec2e79140627d2

    • SHA1

      20f6dda39b1e6a82a7ec62b533f740af7c14fc51

    • SHA256

      a50149e4dc2ba462591cf3bc8cc588fe46d772dec69757727880b5dc312662ae

    • SHA512

      c16d04d93a95168f00086f57208c0086d3ab1d60df2b054b103902d3263051d6e80e65ebec5733ca6b14b7f5edba7d587e74514df987ddb8d52c643ffd9573fe

    • SSDEEP

      3072:Ur8lmryy2RjLTuVyu7CJDgoMT3QPWYFQxLt79LFrb30BRtBZZg+i2v:Mt2y2RsQJ8zgPWSwxJ0BXScv

    Score
    10/10
    neshtasodinokibi$2a$10$eexbkjbosgx7rhv9nzhif.mbiht5kcvbthgjgld4p5bskezrqeck.1428persistenceransomwarespywarestealer

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks