Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    148s
  • resource
    win10v191014
  • submitted
    09-12-2019 10:31

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe

  • Sample

    191209-v5j5ecnwrj

  • SHA256

    e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec

Score
10/10
ransomwaresodinokibievasiontrojan

Malware Config

Extracted

Path

C:\36rwx-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 36rwx. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6BBB3F5B07FB9A97 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6BBB3F5B07FB9A97 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: l/PzUbM3LpS/zo7NT9q2vCuIVO996xg01PR5Sss1QMmzbaiMy5rG1Q2LOjQFH/Eu 9qYq6HAX4+IU0WF/iOmQDrXU8iR7yzYfJyNZxosXiHo/HdV4seIt3i5Sv1WjzCqY Fw7H7pu9oXOJuo3Bdx/hupN/Vxcs3w6oaWSOWODRLEFjUL7FYLrKWNrIQ4gT+UG7 pkbMP7/idZm5y+juUjLiYhDhlKUC30ki3Bmb9uxzgao3CIt2HVZcxnC5eoiXLIRi sR+yczH9D13adsDo3NNnGOxVJofMdMe6zl0lDNMxb+RatUYK+Qw5apieqN7aZ6B4 j97v4wCM2tK+DPp8rZPZOmlVld1HZvvam0GTEJliVYA+HA0HAtJZGcnNCRA5yU5x Yin3qMYb+3rqXiBhCheBOb/55t76IqEw/k8hw/BZIOh4ycKPqP96elG8zxZjemvR gP5MlG0LeNYiQGICMTXD4xzhNYVpsb0f+/tvCCz17v82ACo+TmLk3MO2cCj1cge5 9k1Zj8vYTPWG3Pzs4MdiKHbk/iwjxHGmbVW0x2MMGZw8JbhwrfL9FxamUyLCHI7m VCFs4r1xARK+1Q5vjow1wld0iCz1/0NhOFD8zthK5XdsAXZDXiAI6Lbpnn51gvmv cceG2HXcAYzmmFP601TF3u4RjayolznqidUV2lXftVvPRQmJVxcFozQH20yj8m9g H6LuYnYfWtrDzovbVWaMmzf6CsDYh8zmoZoOw4+i4jIwkprrYKDZRyLA4aoJYa8p FzLMmwmZaijlRMx8dbffPLnKhbhBkyzeqwkiDVKWP6BDtR7aCRq6bijfpsMm46vO Qj6nneb3ZQJMAfIB1IRXDEr2hel/ptVOwHCu/IR+RjGLorMUnGewnjE+DdCbwmtX IRpOZNTauYU8sa8U62Y2Xx1dfQxuxoxz1lMJ2EhnFu4sb8Qlevo4pLGIxRO/rtet ccQYySJf3AkqLuZ9Kl+u7YS60JKqHVRrCb4x1LcyLFA/JhGgtthc1FKUyp3BKYrl TEbuWwakUT+YE1lJv8eXy3u5LfT1RwG4LWyL/YXQuo2IetxZkEzdjBbGzySz3/eT Yun/luOT96XvXaf7jRWc9BFS3J7BiYWfujnD5Yzkf20AhlOr8os= Extension name: 36rwx ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6BBB3F5B07FB9A97

http://decryptor.top/6BBB3F5B07FB9A97

Signatures

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Discovering connected drives 3 TTPs 6 IoCs
    ransomware
  • Drops file in Program Files directory 52 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2109 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe
    "C:\Users\Admin\AppData\Local\Temp\e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe"
    1⤵
    • Discovering connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:2936
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:5012
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4156
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Discovering connected drives
      PID:3708
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:3188
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:4000
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:3992
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
              PID:4780

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4904-0-0x0000000005D90000-0x0000000005D91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4904-1-0x00000000040AB000-0x00000000040CE000-memory.dmp

              Filesize

              140KB

              Download

            • memory/4904-2-0x0000000005D90000-0x0000000005D91000-memory.dmp

              Filesize

              4KB

              Download