Overview

overview

10

Static

static

10

nonet

windows10_x64

10

Resubmissions

20-12-2020 14:44

201220-hm8p7lq23n 10

04-12-2020 16:20

201204-bapf2923ns 10

Analysis

  • max time kernel
    60s
  • max time network
    59s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-12-2020 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe

  • Size

    117KB

  • MD5

    1aa4a440dbb64066a9d2ffeb16618121

  • SHA1

    e0130f08665b53e1fec96c2de8de97f7796b9fad

  • SHA256

    a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148

  • SHA512

    3a594e707c2c676cc64f441a03b9b0560f6ec1155fdad802c1868dc686acfdc64ea697f3e79d522dae2e2a107159594ee85e3d67a3a1f4990452c6020b0c6820

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\3s7ak7r8s-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3s7ak7r8s. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF9F5255F9EBF6E8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/DF9F5255F9EBF6E8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6L5pniDbuowmHsdpVJSy8fVFwzxXZTwD7T4UZgDQnjr5GUxfa/QTseiWEtooucth mRF7pBILrSSDHZOGk246edPqd1rrYGFVV1KOHDZWp5/X0mzriHnmsauNk6YKMLte KQCqCGrEp+jH4ZyzdEruUNgyFugN/DjzR07JE2G0LjxAry6QyaDazPMMT0l2kVyq 1nF0S0IHPIsE45qbdi7hwWkl6VttomuPrNCHpiNl2piNz1udLATvRMnv8o8Zognz 01KbLSIDAu7duE/n0wN/KgfSOFn6b1CosXo02cBahxv0JnkoXF/OBevxukqJeqWu wKg7AWkZ7jU64up8ttg4IbFLEAvhkVfZwv1dSGj9bJ6k5VnIQbdKpHBT/pVB4Wmm cg9rUWRiiwssDfA7WjLH6gY0Qh0bvBdDhGXPmvPe6Z1DpClzF/IUNDRw8Dbkxsni SDKV8jmxABoAxpA17CgkrzlHlId72ROnqTi0jcvmchvh84RW437eRz1idDDqmvbp N5nhqNxKTzQEKc/x5ovFSnb0v4ZMC26HJzkJJ8G/seMY8mPxO2gHIe5QzX5z8zlQ iSsWCuYsw6Udxxr72OpnlUbB+UVjbfTi+rNv2LNZVW3rJsxkaZ+fblKKnNBGdyNu rYjjRPE7wpI7Uu7dLkqvnKEfp5B/+zY+/c5tyn2vK/Xr0xTtJiAyLMnSUgr3KuSa N/DqKhGl7Q/KDWaJ32zGGMlJU+Xnf/iXl21Ed29Lub7MWVNgVE8MeOid1U4UGm9J gEH8atRmdpo/wdVIUd1dbduzA/Z/f0h/2qqbp1zCcs1SbDcbXB4HF2Ro1YdODDRW elVEhI2H9zy9FNIGoes9mBAusO7kXXony/LfiTLVWMu3EI25kS42YTBjoqaZXNJa cm9n9zULXTmX58NgJmM0UPaNuGYNlD5JhS9hHV+E/IX7UTs9AiD3jVrv1gsfL6ed 19B4m3/KWDJaOgWrXddE5Iz1UP56hMEk7AvTWUflInugM6Gf5G2MUDUnr8nRqc+Q bA/txRZnxgKPlmOvejSEFOjxn2iVlggjMCq23IpIXV5c0TWZ8IorbhvJ6/vsXwpU Qr+SXxeBx1zo8nbwGbRJzmeyCqWTofxwM8qG9Vvi3L3erVwqcvRKPA4Pmj/Wed15 PEd2KeugbBAvwVbLgdWaKMq24S55yOtDUjSjTTSmidETcaWz28GkVpxr72dtPpzd 05m8X+jzFHH+YOkaurKXD37C5uEHU27hW+ZQlcSoCPFbruvus33SYljqxcmQvPEb GkwdrSONnT2ATu/aR12d6vsAvEXNbA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/DF9F5255F9EBF6E8

http://decryptor.cc/DF9F5255F9EBF6E8

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe
    "C:\Users\Admin\AppData\Local\Temp\a060d113134d0e905a7c00d0131d907f042b94323987b1ce2d24fb9e87bda148.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1404
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3508
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1008
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
          PID:3440
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\3s7ak7r8s-readme.txt
        1⤵
          PID:1448

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\3s7ak7r8s-readme.txt
          MD5

          7f071bc34cf2e9ac66fd06ef32a88803

          SHA1

          2c6e0c5b7ce6f95730f6e591b031cac79979ef6a

          SHA256

          345c0944ea9cc3bc592afe79c3227d34979c44b6314452f000a3b7d2cb9fdc63

          SHA512

          c049db2f433fdfec7a094075f1b7ab3a91f5fd591de2a6bd19e68548b893e70617b796607a446031d331721bb1a0722609a69622a8127e70ca4e1dbcc6e61032

          Download Submit
        • memory/3440-2-0x0000000000000000-mapping.dmp
          Download