Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • resource
    win10v191014
  • submitted
    16/12/2019, 10:54

General

  • Target

    e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe

  • Sample

    191216-pg5st7zccj

  • SHA256

    e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec

Malware Config

Extracted

Path

C:\8602x1c1u-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 8602x1c1u. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9D8D6909BCDF3874 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/9D8D6909BCDF3874 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: hsHI2+FE+MYt7hrWfos6UicML/O/CTLqllNG6Pna12ju1Da1CX0bSScoxXppqGgF SNz+4qNJi0cP++CfnjwikNn71suDTwyaIqEt9PuLi/FvWAgKIoZnIJz/yw74b5I4 R+D5E27Mfke/lbdme2IdmOMFFijSfhmxqYIc0dTOyz4v/S6/PVWmj5yzRWR0HFcD ken13lM+O9wAALo1NwvpJeL1ii7M/XR22BPNpA+t8UH0lHg5/7xyYAsXeGGRk8n+ TMz0JXzCbzWlUx7Brt3FultusJkC5YN3hkuWRnEKSNSXbPuWAEy7lh7xcGGR9dJ3 161KppnRjU0EHxHmx6QE12KlgBoSzo6y4y3PgnnCGvDk95alD5yqdBvmsUqQxSrZ EbJblvsqKu7bk4iKGcwfEjbOEaxt6n9tubrr1sY/N48NDAZR6TUmd9j6psMeQju2 4goewMZiK+VBYX2JNNy55KxgKoWwlOGDuZHxVo2aVGRYjEnlzdnZKd1/vCA+3/tR +XZcGdeLwe9WxTgNOfXgIQyTDC2LAEjxYfVNRUbfhrs2vzsj2ke4C9921fkKkGQu FquI26vZawebG1Ftbqp1azQQtfyvlwZnazeyeGxPuo1V4f+iyTpeGiaucwFE7lQ6 KPj+hT+2sNW6bZlhRk0B+YArPczb4TSAhYyATspzsk4Ccfn1wTdRxOrrZ5OUBRdJ +rFcdI1DFI6AhB8MWlooOj9MZU31jDZgzkFBBaqDvmkNnKG6cbCKa+NPgyKTytx9 7fxz9yPo+8zsfmLtff5aOGLyIRO58KYAmTV3rrB3j6l/0dHXqZVqf0dEGgy10YLn lOpBmlxaA9vqCBlhGQVFKfCHRA3MqgP4RJqs1uNYlEhldcMkpQDKk6I+pTGf1uzU jVTqhQWmeWOxBiX00BGt1d67nDaUnqLk5Ib8OMmF6vMy15rEGCaNZF2vMvJsbtMf E4byH78UhAxpOlJR77VJ0escssZ76i+ew93j2jY3P/yi1lOv8gpxnG+PMcSPEDa0 0767g/PNFkg0ds7C/ohvEv7QC9R+MkQoysAULr5FDF5Ec8eEggjmV0lcg0Tm2glL g2ZIlV3LyQgULeHi9rjPLDcEk3IyU29bbgRZIBf0xKRQBV6lITHTXYSXqoqwzQ== Extension name: 8602x1c1u ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/9D8D6909BCDF3874

http://decryptor.top/9D8D6909BCDF3874

Signatures

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Drops file in Windows directory 2109 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Drops file in Program Files directory 52 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Discovering connected drives 3 TTPs 6 IoCs
  • Deletes shadow copies 2 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe
    "C:\Users\Admin\AppData\Local\Temp\e5d23a3bb61b99e227bb8cbfc0e7f1e40fea34aac4dcb80acc925cfd7e3d18ec.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in Program Files directory
    • Discovering connected drives
    PID:4888
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Deletes shadow copies
        PID:4332
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:5072
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3780
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Discovering connected drives
      PID:4480
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4596
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:2072
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:3880
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
              PID:4792

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4888-0-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

              Filesize

              4KB

            • memory/4888-1-0x000000000401B000-0x000000000403E000-memory.dmp

              Filesize

              140KB