Overview

overview

10

Static

static

10

139a7d6656...48.exe

windows7_x64

10

139a7d6656...48.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v200217
  • submitted
    09-03-2020 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe

  • Size

    157KB

  • MD5

    b488bdeeaeda94a273e4746db0082841

  • SHA1

    5dac89d5ecc2794b3fc084416a78c965c2be0d2a

  • SHA256

    139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548

  • SHA512

    2b62f0e0b017ed3d2dc7103d2020604f15f95449ba842bba18f886f9e1dcc977c459c53d1e6e7abfe6b99fc3dde24f5cc7a848c92443d1daf3574ef6f0263284

Score
10/10
evasionspywaretrojanransomwaresodinokibipersistence

Malware Config

Extracted

Path

C:\odt\gfi5j.info.txt

Family

sodinokibi

Ransom Note
Hello dear friend! Your files are encrypted, and, as result you can't use it. You must visit our page to get instructions about decryption process. All encrypted files have got gfi5j extension. Instructions into the TOR network ----------------------------- Install TOR browser from https://torproject.org/ Visit the following link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6AFCB047A8F2D039 Instructions into WWW (The following link can not be in work state, if true, use TOR above): ----------------------------- Visit the following link: http://decryptor.top/6AFCB047A8F2D039 Page will ask you for the key, here it is: 8U56g0g8IYmS+SGHJfX0yn7BD+Sh/bHVX13KUljmpzoFkyPqZW3sk4TisZ7ZIP7M y4VL6geQihdrttX4Zhn+m9rO9iPZwT6j58RmPxjW87D+MJ7y4jGqJzWcm1MaQFoy kbRWqbT+8IXXiUR0lR6jU2zUFHhH4Lbx/BRXtDA7khioR38LZ8lmDkJt9QihPUPt 8beUodTzc/FBh0bYYRS15CRKaPvF7m1Y8OlYpVpzB9leN/YxF3wP75j9DlEuq+ZE H4sYP/hFt0QOsHrdB6yWnfSBiBDDDnOS9yZ40tYVJwiJjIs+kt6hwdrG0YDPa82g vBKCDhQfloplzKJzwivdF3AhrtUnNprw0zIZya4sMBTk28UJ5gdZrv0F5nO+xmt5 nI2ZW0Ri0VfNRl4nKBhhHO8CI9QTvu5BB3sNrtnSGLVXhCmndrdrtzCB3WA2qb1Y oBlTbGy30dWE+09VYHqDECDpMyp/AwmsJhfocFzEEdJ9xq5HFaqTGjCN6uN5hHqS thr7myFsZApzQmkSmjN0ja2FyxItFX0foTRDv43KSZwnRzrrQYuVesjvV3KAuZCQ lsKl3eYlG3LU90r02GS/Ms1AEoCqa0Y72gN4l17vF2H6CiQBq1Xpmte4iLpRtzg0 dU+UN/4KjTlc7EJFo+JGRXstHugbn6m+Vvny9vOoouEelX+tqqUevioNyChjSq82 XXTCkgsdnwp+4SJBXBbJTHlssHM7oMxlYvbrw80CLv/Lcnhkk+nja3x+MX9bwjdp klsFLtJx5HYy36ZTWIrmJT3Ik3XQPip764qx9Gsug8RKcKLHB/YY0V8muJrSSH+v rUDcK2XB08n3ZIrj4ipP+r7oVI8JKxZOV0YXMth73T+Q1u3fIAgjVQwmpl7IbqxK SqgxxxvH0dEwZDvfclwKJ8t7BY0m3eg6HeBvJj++GstVZmko6uk19/tPczckDPrL g7CPKMUozrAXB019yfOONjmDwsLcUMZ+/86Q3/1b/8iRyckAG9OT3Nv3X5LlGkdf HD8QdAeGriVR2HbcCA/BWP3uiaiLbCIf+TAma8rCrXZmMhdHMLed9CHd9tZa2760 G47hbiS/HzA=
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6AFCB047A8F2D039

http://decryptor.top/6AFCB047A8F2D039

Signatures

  • Drops file in Windows directory 2108 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Discovering connected drives 3 TTPs 5 IoCs
    ransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe
    "C:\Users\Admin\AppData\Local\Temp\139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies system certificate store
    • Discovering connected drives
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:3920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Modifies service
    PID:3296

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4052-0-0x0000000002C80000-0x0000000002C81000-memory.dmp

    Filesize

    4KB

    Download