Analysis

  • max time kernel
    134s
  • resource
    win7v191014
  • submitted
    16-12-2019 10:55

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

  • Sample

    191216-4rcmytrrka

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

Malware Config

Extracted

Path

C:\Recovery\43s40i71l.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 43s40i71l extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4D1C7A1B00D6DFF Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/B4D1C7A1B00D6DFF Page will ask you for the key, here it is: w9Autyu791gDcgvJa88bZEMg0tYQX4sIbUfcHkGQUMeWFlK6N9VP/PgmIpE3YxRM ohzlunC1jHPFBOdG8RQH5MFeSpaYJbff7dmrp0Sa/AMxs3Z58AtfTxxtpeASEXJa YSuteCc0crrZMVRrla9rHduzsA/Hxb9ZD15zLSkGZoDH1T9bcYhlDN4cX6bLJsFl Euap6XWWIQMNIXySYnG/MUylyFPkq/La2BAwmdqLsmXVntg/rRvfWEWj2WkbFHKQ dXGi3fkprUaMh6C5kiyLS8Lr4uY3pymcRlPD4Js45f88q4XXKoYdX4QiFv2Fu4pF 0GiQByslCAww57WYLXF8xDTp+cGUUIMiKVcUDXj35BgZEWo2Vwii9LstTbI0DaDL 8HpAZ5rirtV8GyQsSwjg2qtZ+FuE8AM5YQ6owC2vCGKqKG/C582gl3dBHtfP/6gv YYb5NKLnjY2hi6N8K3HJnWIqj7b7T8dWGIOmk1qnm7BlLzRumMkzXv3QTbtNH1C0 58g6J/bu6ZnlEnru6VCJE/dIz6SBxU97uzxvlS/huie2dDK1JPpzShBWA7tz3qBx 5ATFVR5uW8Na2dJ7zJeJItOPDaSHy6/tqxi5AwE36xosIIMh4ARJh+gbI4LTcdJ5 +2AmtIUf5K1SW6vatp2SJSEQqUOAjhagyVb2MxaU0MrHpTc0a2cmLJAvFe5qFnZv wp1fbuFTCNvDCLZkNXx756is/qnKsX7UbzIDFZ/tz6i54Kfr7RdLikAf3VoKfE1n 8CH4WM3RVy6w3rV6x/zQRfIk3rTprcGipbnCBLyV4kTA1G5ctaDpSj825FSTQ/gs NTNQEPFOEyZPkLiTm6eu3TxxrtL/lfMCiKx5tGuKyAYHDgQe7fO6PsBXSPbbu9o/ HbPeysq5oP0lWSVzZfFLYaAiUukw4ux0747ahw5WqF3esJPYrZQEWptLQILabRsI JEhTSiyCoJVn2pm4gk7pub+b5IIfskP5DNixAFAM6w1cAZndhgj89M9PkawMY9X+ Y/TGxatmIpdh/v4JusSEST6BTBd4WHeOd1x9QJhyyXDErIrfbl56xRZSd0nxAszP Gp+fK74qHGJ1oeJA7HBBa1ipf9pG8083
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4D1C7A1B00D6DFF

http://decryptor.top/B4D1C7A1B00D6DFF

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Deletes shadow copies 2 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

  • Discovering connected drives 3 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Drops file in Windows directory 3276 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
    "C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Discovering connected drives
    • Drops file in Windows directory
    PID:1444
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:2024
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-388722206-19565585701416385159-1724534010-776757088-167748554900424385-104918526"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2004
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads