Analysis

  • max time kernel
    130s
  • resource
    win10v191014
  • submitted
    16-12-2019 10:54

General

  • Target

    06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe

  • Sample

    191216-4zdx1n374x

  • SHA256

    06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851

Malware Config

Extracted

Path

C:\39y4ps-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 39y4ps. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/081AC0D763E84FAE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/081AC0D763E84FAE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VqWt7lVK2ZjcvUHxxx3RZixAICt+qRrhH0FNKOzv7p6AdIg9PR4OtHRTDyK4K7WU Uom6GhvIg2baiNZ9/ndfq5UJadTN2HqTq7HuK94ZHhY7wnp94Kq2qbUmqsghIJtb ktMCE8bRr9utOqWSRb+DJtFf3sTRcwQW7eMP8s0OtTpU68BAhAu0zsdZqsTyb7JB hVOg9cZmJb8fLebT4BiLI49CgI8MIXQNi7NcyW3HQZlW9Q3udnZ/5EfKUdJvoUk3 WrfqCX8p6krCFlO1E01QUSET3GsHjoCwPh05AOQMXNrLMVPpnD2CQ+VKTCNV8AoB KlJlbMWywE5rE6Y3cLyhejZZJAtgwdRTP6Z6NZqFQGNG+SKPKQS78G+52ML762iJ MJPby/DHrBtua3G1VUhidn2ToOY0Rki2sTY/k4ssyU+5TbqMH7B0nnN1WzNaph83 RhCGU4bGOZjald2P2MGVjUFnucI5TSvYrQUhNGDPNLeYGu9eB6yDDYp8JVlZpWQt Feau1hUdi+XC7+d0Iijljt70zIejqx+1AN5jeheogY1sRrqjzKlMQJzoYcDDyX2l ekry9FLojB0gmIBpSvGbi3CuCViXmZjHjrfwlKYhoss0V+Q6i7cMrdtsgmfCvjwT ydk+ZOvRK9BdUm1oagjvAuZabPAGoBAcnezueF8OhCFW2klrYbK5fqitnQew2YIy oGiTRCABy/kww03zNpvvQie8UPNRzIQnPazOf8P5A8D/Tbf9zUV9Tc5XCvkFt/Ny 4cGdnLkayhzt8erQ62hOqx7oNz/xVVgXdiLQNJa2BZnMpEk5fMlAbz1Y+R11Xvf4 b3o/E1oLtOgq3ERtr/v6GnEbBRzqqxnl6NwmArLUyxq0EY17v8CG7YVNydxPqwh2 z3ijcJ/AU2lKRX9DxMQRSrTTtLDsnOONLCwUWoptb4u71p8m0nHbrVYNj7ZiYDuh AqFib8V8JcL55BbC4TXAelw7WdG+FQA3JqlPEOdmBmRcGu0G0ZEtU3C/6+6wz+DI /a7xYwCJ/ymYi4wqrtU0O///Wi9FpbIES3X0AUt6PGwzdqtLl3/YBRI7Oyz4y7L3 o/NvbbVwBx3f294KIAesKfNFwFatqwhzyDSOVoBRCNbes6Rt0paitw== Extension name: 39y4ps ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/081AC0D763E84FAE

http://decryptor.top/081AC0D763E84FAE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

  • Drops file in Program Files directory 52 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Discovering connected drives 3 TTPs 6 IoCs
  • Deletes shadow copies 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Drops file in Windows directory 2109 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe
    "C:\Users\Admin\AppData\Local\Temp\06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    • Discovering connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in Windows directory
    PID:4996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:4116
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:1708
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4568
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Discovering connected drives
      PID:1724
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4748
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:2804
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:4936
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
              PID:5040

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Defense Evasion

            File Deletion

            1
            T1107

            Modify Registry

            2
            T1112

            Disabling Security Tools

            1
            T1089

            Discovery

            Query Registry

            2
            T1012

            Peripheral Device Discovery

            1
            T1120

            System Information Discovery

            2
            T1082

            Impact

            Inhibit System Recovery

            1
            T1490

            Defacement

            1
            T1491

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4996-0-0x00000000005F4000-0x0000000000616000-memory.dmp
              Filesize

              136KB