Overview

overview

10

Static

static

8d1e4bb757...in.exe

windows7_x64

10

8d1e4bb757...in.exe

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    20-08-2020 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe

  • Size

    116KB

  • MD5

    6f478788c9bf905bad3371598255fe71

  • SHA1

    137db4ccf35660ab2b7e44b29755b363a93736d6

  • SHA256

    8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71

  • SHA512

    29633d24fbe3bc50d08827bb2d9ec0b48cf4895ce9387412f04458ac283540c0bbd710e71d61a3385fa3590f31fab41f316e88b8e4994811fbf1e6930e805085

Score
10/10
ransomwarepersistencesodinokibi

Malware Config

Extracted

Path

C:\873s80v3-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 873s80v3. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8450E640EEDF2E83 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/8450E640EEDF2E83 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: IQgst7/Aw0+T+Y2Kx0XRxDMvoY02BWj3zbj/rt5LVPkq3IUQNeypxf1YE0oPVbbk s2Oh7PYZtpI7Y3wBLclW1UF8U7uh8OBZOXrf4ojBvOPamcZEPV+kK+y0WjF0jZsR L27hPlmvivp9JZhFulx39YCQH7WJSJrR85IULEpibEU74gnhInxGNOCpQmFJUFLj XCRpDoO01+/pzThOuQyAaXRhn8vgRJR79rpQo41BkhQ9/UT3VP1ppED1Inw40nL+ eU68w664s6EdaVbVYYac6FrgTmdlq3mqy+HyUPJUfIK/xt1IqYg2BG/U0BiBXwrW YNPGx+2YoZ+cEoqql38MJ7naPLUk9abJhraQVLOBi++X6KzIGIUxWEsB+HM5WyDp 0vSh3wwUN9eB+FOdkW+fsea9bjxi38KqNQExvBwu8FPwrr0lxoinAF6h0DnOMfwT HmvFahn5+ZmiLY0cBdx0Slwp40gWJ2gYlDfe6vdtHSuDZIq4kMsy4D1a+5eWXBs6 gkcOySEo33TBOlORDIaDt5LOG7YAuGX/pgqZGpOx/AMr9DXNiWjYbu2fuxZQ9EKy 1uRDD5Wr+/8WdUPYNLf14EXbNQVaufayliO3bm1g7KfBvrzAeoBg5Zbg6jqNAAtR 4ASAe1X0vQ91CTyyyAuP3eJo2sJPt7lQoq/PZng1SSlLyQsAPgH60/Ur8OyGb8A1 IqXXRI0a4+Riqc9gWyLqH6ouLUW6l/zO64WQkvmwnZrXvXY8kHodIzSG2NLrRhOf myG8yFmzM37bGx3ONLQAKq28zce10T3IojVczAJI9yOUDg32Ks4g7xLc4qidynVk P9zOKfYTpoZi2BOLqg6vKM2vlxFOvARjsz3Nl+JUUzD1DEjEDFYWmdrsa6ZEu7g8 Ukuoe5AC/d8k6zGG9en03PyposKQ0jhAhpjixuB+ElD8uvNgwCOdoY0fleHtz3nH OLD3rcwZ1T63v8LNnQGX3CDw8k//7U8yV1VOyOZRKEL+Ohvtgz7sOAOegJ4Ixewe xDzKQRyFDBd/cO/xfu0I9Rj9gAu/FkxCqWB9E6B4WHcS8xr4TskJRv+CT5rSVt7l Oz1N2dow1laG2vGlMIinT0/mhBBavkpGJJkffftX2yH6b6qd203nQ+qZ3aF9eSeA OD6ghjxq6niS4B0Og1/tJLhMsX+OArswdcCGTkpN5yNieXkD+D0GgW3Jw55ulk2H r0ZrIJfuRKpKH6ipVm72vos7wGjBAao2rvpOeN2CDYdgzOwPnuIClEsrn19oO0Vl Yr+Semlh1WRPJmVoHelKoITGHaXBbg3AMSgyPxZhGF4= Extension name: 873s80v3 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8450E640EEDF2E83

http://decryptor.cc/8450E640EEDF2E83

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs
  • Drops file in System32 directory 1 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 43 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\8d1e4bb75799fd3639d12f2418ae31631e483f8dd9758e1e8ba785c4e7a18a71.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1208
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1456
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:1328

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1208-0-0x0000000000000000-mapping.dmp

      Download

    • memory/1208-1-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1208-2-0x0000000002260000-0x0000000002261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1208-3-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1208-4-0x00000000023E0000-0x00000000023E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1208-5-0x0000000002330000-0x0000000002331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1208-6-0x000000001B720000-0x000000001B721000-memory.dmp

      Filesize

      4KB

      Download