Overview

overview

10

Static

static

10

f97175fdad...xe.dll

windows7_x64

10

f97175fdad...xe.dll

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    20-08-2020 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll

  • Size

    116KB

  • MD5

    53fd5fc16a31ab15167c9a804e3c7c14

  • SHA1

    88b14c8f851f04c9d595ff3ae441bcf52489df08

  • SHA256

    f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992

  • SHA512

    085c5f4a8ec87c5b714cd8b4016170aa97ef80b2ec70a175f10e3a7e6c83b76aa30bcf76923cc2621fba42ee7015e452814b7d0f42f3de2146c2284a0145d3c0

Score
10/10
ransomwarepersistencesodinokibi

Malware Config

Extracted

Path

C:\2f198om7d-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 2f198om7d. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0A185E370551E4C6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0A185E370551E4C6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: wopt4s9ZGdhV07QA7xH/RVRT3TvbjLHUsLn6Lhdj+wTJgloj3VjYLecx4tYtpgjW 9yxf3tys7D9oyY4gSF+qP3Ixd1aeaMB/Cn4curivAxc7FALCe4RjHIuZTJW5mAYR rkWFdtaNHaVJ/8IIwwl1CEbjvX5+0OyKKdc27HTordrfvcKE5yp1emZq/9ahim0W e4UcR6H+9Symg/LikVnIgr6CgSwehHqVCGM45cy56Ya8kKhGQ+3ktmO8OrX+l6iQ 7wz5XiaLcZ3tHTXxWPe8GB87bOAL0FVHjz2zbkel4Z4qhPIVgWY/oqmo+Hr5XTQ3 059jQ2lrbcK5ELU9nZLvhumzBaq/ZLkrh9MncyanWk0eOs20Mai1D/gsU7P2jOeg VcBRqRyJ13NCRThm8PK/mQ7QnuoxngujNkffi4bWsTM6MgVe4ieRwd6Edvrq/0aZ higSVnIbDG/9SYk7TuKLdy+VoRKHXwJ3aYxDjbUcGY02JcKGWOKm9xZimLPSwszh YAaqpLW0iJ+BVjVgnGRICcZXnpC8udHxnwGPWIaR8fE5S37hA5d9vBBOjGhfK3Oq f7vLR2cKNQMkmkDPed1mshgRzpgjYv9GHsFwVjivxI9Jzzy0GvCEBMA/VY2C4z/R zux2R+OdGfBZ8q0mK7kayfqklmCeVfB4i32fwXrjmdB9VLDPL2WrFhi9EQ/h4wd5 pTmNHCxRAhaXViRlRvMDWe68ZKB4CMag+vl5OhPwW6mLiVvYz2CdzE1UfseuS9Ue dosuu3zPa5qFNPtsJNkB5KJUoN3Ur5vYKWmJsNFKsFwOc409DcC4c7Vy7n1MJ2Qb 8NC0G5pJqgVoGibWA5cfziD7zgJl7RCo1oPLea/w7RO68fC0kd4Q4wMSKRtkk0QL I6IA1kw+YfNSoeGE+jYURX2+R9p5t1UbMH5RyDAmTpSlfJE1ppuUjpPinzuzZdiJ hNBVWMymx39aB5f68DOuPgsMaqR7Fwqiy6ueia6NXO7UImc0sVhN/HLHFBRMH/qH RSPxGDenBFkWL6QxwgH3/oBYVoJ8NyRqv3ElQmwo7sD6xIOcYHLENX+nsxHYaeUH FuZjvS7AUALX9cm8rwBA32v4CpFXzSAvZrov6GNw8cMfTcLXgxS4v+08yAT6bphP YyiMKjqiV0qT48W5WQ9jZEPmlyE8py7kq1s0mC8D/1TXdFHmLTeme/341VwL25Ek b6hN+6YkltuEBW2BXJb2Jf1kc8OCc9K+7DQjZa+S74Wk81hVOedGic5go02Ij9G0 4V3RZ55wQb3B5JxcIOUfIJYQP8KgZ85dIye4ZjaGnVAaIEkTYF0= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0A185E370551E4C6

http://decryptor.cc/0A185E370551E4C6

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Blacklisted process makes network request 194 IoCs
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs
  • Drops file in System32 directory 1 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 43 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f97175fdad804a02e6f24273b371184d816044eb2409dadaad683c07fd41e992.bin.exe.dll,#1
      2⤵
      • Blacklisted process makes network request
      • Modifies extensions of user files
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:828
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1456
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:1792

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/828-1-0x0000000000000000-mapping.dmp

      Download

    • memory/828-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/828-3-0x0000000002090000-0x0000000002091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-4-0x000000001AB60000-0x000000001AB61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-5-0x0000000002720000-0x0000000002721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-6-0x0000000002750000-0x0000000002751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/828-7-0x000000001A920000-0x000000001A921000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1184-0-0x0000000000000000-mapping.dmp

      Download