Overview

overview

10

Static

static

55.exe

windows7_x64

10

55.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    25-08-2020 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55.exe

  • Size

    289KB

  • MD5

    500286eaf9eb11b34eb413bb0df5543b

  • SHA1

    b889ff1138b2bd7a3033ca4c4868189dc8588f9b

  • SHA256

    f67d2bb9157ba5ccacbe051ac737812226fb2b43fe209867ae276695a8a929a4

  • SHA512

    65ce297688900f0c7b1eb3a327771eff79e366290761613b364f463787f66a46d14127e1a644b5fb8f26befdf90ce100110cf47107b9457f971ca8056402782a

Score
10/10
ransomwarepersistencespywaresodinokibi

Malware Config

Extracted

Path

C:\x16q8vngrn-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension x16q8vngrn. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B6E9B7957F638FA 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5B6E9B7957F638FA Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ZXZQVAbKL3p8Iu4YGSOY9Ql/afNeRgvexSAwwTC+EfkB3rWsYwf5vENXC1uIlRer SlOYs+Ij7mcZ60kFKWcWRobxR/HgpvBwYqU9JWSvCDfuLLTL4d7fno155U1eILRZ muAjoVSdw2svFAfOiHhOFxzs/jhTLi5EbyKoiCu4tT9H9rBhRQZvzZMOZfe+6/QJ RKXtVtl93evpmHGRcdazUhQC6CF507mCLid1N3sUqj1MVN0a6AEJw1eIub5Xk12y /r0POB7lrGfdqHcohQcTraiTFruL013zPxkY48RYI2XJ6hJe6uE7DKVJO+DN0aC4 FlYCaZNi93znZM8Nxrh500vzUA1els6mvjCnvWJSL0YMo4E810QC2PknGUQR6tcf KHOd+QsqjTyLM3gTRkEP7ZolmGgnRFrd7BRD9n+az2B8FWLfYcXlj9+SPPfyDG6I xqjglgCzSBN2KfW+XVbepm03mCU2P/v99dxJExgxZfjtVnhm75jAQYbEgx8JOPRJ C/NMBA9GJ2ZXaXq6mVO6NKLcI1pzIOsCoI/KIg5occS7VFdNSwsLx9lpuxwFgwL8 TEBhQmfFug80dx0zRP0CJneSpJjUF2dOxxI/Q4xFNVR1HjVk2p3b+8ChfGMKis3g OkoMeXWxNUf5wIPXKew/MWTZ6g/5QKCpqPAQPnYDqHpqHo4NSAlUDFMjjcqF0/k4 bwclDO+edPm7vRtzbnaTMxjAUkXyt4T5dXwpukk6dlNFuJ7YbmhH57naKXPJCNl8 /9GyWmk87TBBBPSdXSP120mpYdfXEtn+S1QqGuFjrPQ4Zpq4Mpm7HNg4HuO8pAZI YWqTx6OPl+RzHys81oenCMwb0kkyJnizO+n1Tg0z9sKpu237OhMngoCv0noo8h/e 8eg6FqOPXbsN8abFk+ETX2FluOC4WPdtGii0fUsJx0FsOltYbmrRfot7HqCqh7/R 8oWI0+gdlQdSP2NYlJTnQAFF6VRJguSY1EZtV/kON++yQWNf76ydA0pEWqhj07xN pq6ZDSJl6aToGs6dy1YzI88S3L5lbRVsacOMVM2Cclfh+/DWfSGe2GqOX+hRQEb1 FMzrM1SwcgRz4KcyccuenoHpYofC2JEScYF0IsECWNrXy3PTL03JDC/dVriE4TKc DKSP/upyoG4RzuJuohAKPayZsry1/h3rglxyv80qZDunfPr1RDlW/CX44SkNuheu z8ejv/h3zo934uV9KJrmMqMESC70CC/4Du3PYFnWVlircMwNXRtrUxPviecsA2gY gRyVVdlsE4ACSsCGh63uY82w61nLX7Zs ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B6E9B7957F638FA

http://decryptor.cc/5B6E9B7957F638FA

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 16 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55.exe
    "C:\Users\Admin\AppData\Local\Temp\55.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:884
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:260
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="260.0.1971403473\1161750959" -parentBuildID 20200403170909 -prefsHandle 1520 -prefMapHandle 1512 -prefsLen 1 -prefMapSize 219546 -appdir "C:\Program Files\Mozilla Firefox\browser" - 260 "\\.\pipe\gecko-crash-server-pipe.260" 1612 gpu
          3⤵
            PID:3652

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/260-6-0x0000000000000000-mapping.dmp

        Download

      • memory/580-0-0x0000000003451000-0x0000000003452000-memory.dmp

        Filesize

        4KB

        Download

      • memory/580-1-0x0000000003540000-0x0000000003541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/852-2-0x0000000000000000-mapping.dmp

        Download

      • memory/852-3-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/852-4-0x000002CBC7720000-0x000002CBC7721000-memory.dmp

        Filesize

        4KB

        Download

      • memory/852-5-0x000002CBCA1B0000-0x000002CBCA1B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3652-224-0x0000000000000000-mapping.dmp

        Download