Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    145s
  • resource
    win7v191014
  • submitted
    16-12-2019 10:54

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe

  • Sample

    191216-pg5st7zccj

  • SHA256

    e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec

Score
10/10
ransomwareevasionspywaretrojansodinokibi

Malware Config

Extracted

Path

C:\s0t83-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion s0t83. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B26FD4687496107A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B26FD4687496107A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: wA4KbGRDfha1HS/bY2/flUOQ9zCzAQD+xU5zt9cWUBcyYEBRTu+wqGgLJ53sjfA1 3MO8OcfCtkXKP6gn2TsWSdSAGbTADwru5d9DYF37AV+7aqNwgx8lVExNTFg0G5hN FMXEix+3T92NbYPsiFpMkzy4qeWkgYnSyiIXsKn7E5SmZJkJrd3LjrboUEjywdx/ eVr5N7ySshe59y68a0KX2m9coVBsdICiUn/cqwmhygSc3pGdJ3MC/fJFLh6PNDiM YOhhgxB939erEVj0RM72Kn1kh+6O3JKOfh8XLw6jAOEKnRtu4pvZsM2PJXiRPs+n akkKfwDDPnlPXN4nFYDWGGEscf5dIrXbynpcxvowr/gkVhbp+ln556T+OqjVvQM9 97qOyYk7ikPKTygyEY8bjhStRvfOrAtGcNpXNGqnz8LENxBrrr+01VHNCrt3ATEv GhJFEK6Q6QpoR3S8kN8DgkXhj3zbiEBTfMuk8ihnJUQQW0RogLynjZkmo4Sqy4Hm U0a2WECFM/lCjyefL0SUyVGuoyiqdRMcjXuQGGrFlA1aX5EAfo13eywKF9WM1Y4c MGDqEfCIGQqONZNdxyWQXt+wEF3skYR46teVPL9PDVwyiaJGyN3jP/H0Ir4PgWJ8 jLFEWh/QpbZTZodegE4O9lQg6Ftt5HXXFOWuZy0SLL2Sr0b/Q1xxYjfCpzFTP0uJ ++vFSGUuvUURCQ1s9okOOOoHxvI4GlLvRJZLcAU9kDkEFzNkVACg2LEca7Vgn51b ofcgGtDNX3MhHOhA0jN6ISGzv24Di/VrPSG6otBF1dAh720WEacIplu6p4z6W7co RZP3dAG/L5nMEQRc9LmP59IkTq/hqMWGkXmlEojUmePSqCgwBO6V6neqPV6+uDG0 xqSSKGf2EiRlUWlKCy9Fecl2w2hlo1us1Z5u3MXdV1/RhwG7zb2ppGuS6jG5RT6X oD4zcbyCnHjNK5udiSqn6iJsxR4EXsA/7xIFrBBPkaneb+Xvx3fRLRupF/oET3vm Ke7BTXOz4kGqAS4PEyRfa5brZfvJDsTm72rmazbsWzQWQ2VQF28YsKU8X4vMcWU7 RSRnSnba9w2Wwq4z4vNKMSJWIg2eUjmewOl6Bzn4GV+ZE6eCoha6V5+3OPLRquUH CGfroqUu Extension name: s0t83 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B26FD4687496107A

http://decryptor.top/B26FD4687496107A

Signatures

  • Suspicious use of WriteProcessMemory 2 IoCs
  • Drops file in Windows directory 3276 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

    ransomwaresodinokibi
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Deletes shadow copies 2 TTPs 1 IoCs
    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Discovering connected drives 3 TTPs 5 IoCs
    ransomware
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe
    "C:\Users\Admin\AppData\Local\Temp\e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in Windows directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Discovering connected drives
    PID:1996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:1480
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "184422301228799135618944460-322814422-178056611075657119908867499-803790831"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1764
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

2
T1112

File Deletion

1
T1107

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1996-0-0x00000000058F0000-0x0000000005901000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1996-1-0x00000000040EE000-0x0000000004111000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1996-2-0x0000000007570000-0x00000000078F5000-memory.dmp
    Filesize

    3.5MB

    Download