Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    108s
  • resource
    win7v191014
  • submitted
    16-12-2019 10:54

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe

  • Sample

    191216-8bfljdyw2s

  • SHA256

    0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d

Score
10/10
ransomwaresodinokibi

Malware Config

Extracted

Path

C:\Recovery\8jwr0e-readme.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got 8jwr0e extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FCB7FDC24C90BB8D Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/FCB7FDC24C90BB8D Page will ask you for the key, here it is: dnpsA19wUmBN5WItEDwZq3q/TvmWpyDOrnOsvGXTOcQGK2T2V3HbsQ6T2VMKSx4j WGOgoiDOxGQLC3sw58qxmcV2auS856W44YkLq6IVfnkYo7/JdVXJT6pBcO9Ao43p o7jhVIhIkY4bfg2u1Mm4AkxHiIOjfDbD2WvLteerZxq+rI29sv+PCUf8HKdP8agB DnIjxZBk8xJq6LW/OxgByM0BLxcH2kKc3tXRSOeaq0zbdPpdazOCikAgX/VjzYbf EmPhdX0aV2I9HEVYT53jCI6cOGdIhM/DjZffsNiCVS7sEq/8XyregwhCBjYYayyv 0g/CPmFYe6KyAjGVIMD8WRS6qb6vtpi576jTs0mjLNmsPTQehnDG6YkRkKk721Q/ +aqKW/4Q1/jCkh1ljHbqJ2mYs35XAMCGD+Aj0XswRT/otm9kjLQKWDRjGOUvRdUS Zn6Dkmlm0ejTD5OtHhWuudxNfyYf+0slm7bBorKEBcueAIzIrIqUHfrTVIFsMXro VnKJyHjnSfuh3no9KuyB15BwMqWbTYYgA+6yD/tBs5iq6JCuS+OO229qoK5tc0NG 2FINo7cOwY/GIi9LLvkOOujiH/BH5GMglWRqoohx7XEYitIY+ipycb3k4nlTBewG nC6G0vrCI6+7JjPxhp2qvs+Mq++hoW2Ily1kaFnqgqC7+snxfvq6UMoPQyaE9/Oi V6Vz0wp6TLthgiob3XMx8WZMIPJHKfX+kX6oi7zv6WYPFliERQteWg5DmRVYy4pr aGHojB2SQhxpMXNnIa4X3tPaNdhyKsf69OXrVCCcsaODT8hNnMBcN/h0tvUr+6El Xto408V1Ve6xzU7XBl3xLh8RqNiQAIFAaVdUPasgDxjY9cZv3e8HTZpkZuIVD69p KqST25bHTptfJ9PmCtz85C04PdoNE+HXUpwPFNJtZBrpB9ZV4w1pwiTnJyGLD39I UI1BiuMqc4eDO+2/WaewhOrU1P2C4D69ODQfbQ21jLL0IGhdJ8UH4+pwuw68bWJm TDaD180wyUATNjfuexTLDyFC/6EGhemCzePsO2nVbmmrAbLWa3eXWdNbXzbyn687 cFPh/5fyKjeNEWvxqrt/0LmbsJQJ+A==
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FCB7FDC24C90BB8D

http://decryptor.top/FCB7FDC24C90BB8D

Signatures

  • Deletes shadow copies 2 TTPs 1 IoCs
    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Drops file in Windows directory 3276 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Discovering connected drives 3 TTPs 5 IoCs
    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe
    "C:\Users\Admin\AppData\Local\Temp\0fa207940ea53e2b54a2b769d8ab033a6b2c5e08c78bf4d7dade79849960b54d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Discovering connected drives
    PID:1916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:316
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1564977991624155660-1453012193473192921761962069-536643656-106980508-1099575151"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1388
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1916-0-0x00000000002CD000-0x00000000002EB000-memory.dmp
    Filesize

    120KB

    Download