Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    02-03-2021 15:27

General

  • Target

    0cf6b2529f92cb76be812caf661460e08bf65d9582ff5ea2d39206c8ead17b6a.exe

  • Size

    116KB

  • MD5

    157083d3340bd1ccb0ef3753f1491dad

  • SHA1

    7f62112b7e3811b4c025f20f656e5930ad30125d

  • SHA256

    0cf6b2529f92cb76be812caf661460e08bf65d9582ff5ea2d39206c8ead17b6a

  • SHA512

    39ec844c2dcf33862571f8d267b1384dbe5fdb3b8d1de1b615ba85ecd8cf58433147c6c6892a4967a0f0eba045fb187ea0d08055585134d5c3abf5297507421b

Malware Config

Extracted

Path

C:\22lirwk80-README.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 22lirwk80. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D5F776ADDCECC7E7 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D5F776ADDCECC7E7 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: J+1sOv9xczLjrG1eY0QdFNrhM4zFn+Cm4nn6LB0Uzt6jfwjQ1FLx+Tw7ZPgujDSs xT481sClstLwBoT++D8kb14JcYP5WNcN2Ig7S1d9wH/3d/LUcIGIQH1jbHALsm1V zmtgS39Nvpp2vna8Lic5F3A66N4njzjb4pOO/Y06Y6GfWHA8LSIRlqjJ8sY8Hy7V nmEZSklghbQ51Vq84vZCEIL831c4/r2CAEIVk+BGXVKwjYZVg/4WiI40SnfsrTRl 7dmPXOvqYCS7qzySFx6J+w2T6Gf60GAWMwoPXYMtTiXWBpXM43xXs/nFncfRJDq/ g0woFV9H4Y7CiRcOI+TMLyek9wzmf9pUFgYkRzt2UyITaDahazI1Im1K4QRstjZN 8H0HwJ4gApU+6ZEglM5N8S4hdcGNf5YJFJkkdpWpizJLkfhaZEXn362JQeAneNhw W2+ClOQ69bgxXTPtPXjW7YacYwn4Z8hTL+ePBVS1jV0IYd8bEB26fyUyaU3WfsFs CHPBuWX/9iD0KZb/JY5XcHi65sPQ8EwREwYwTjFFpmiMtihZRK6L7Ho3muxT3Wbg 61tcU0ww9SZta2tvZePP+ufgStAB5RTyNGoWix+oEF71cb/jAKs5vUu/ai1bI5Rf Fr1+1OjfUIpNd/GGASOG5Z2fGjSvVsamiH2q90KxPWyb9fQGvV90IkvqaoVKeXPf 6AsiiKXWv5C4/Z11eCpqF2jqFysItBqrprzvcHhpci4S/Dk2YuTLVkph2iM5C1S1 0XbZ8qe0TLQT1AcTktoRGXluTIXabLxtd1Wl5Kh1vGsrIeTLL04bCggCF9/Jf/s4 b1QOd07vfFVEtBB+GdYXR40YHB2HRZJZf0XIlTm7ejcDT+9KmAW3K2YTpoCIeqf0 +jLG3HFAHFYbNXQQZTdwMoj1Sj2s3G9OU+lAHXzBO/eLSQAFrqOYnAUUZ8A9v0hh rCti9GPTIp8HxU1Qe4d0KkUP1MhSX5Bdh+AG3U546Rz4veouTWGHVonoDsUh7YIB TlzlYOqgyoMTqu7J7ubcsuP989242qQqm6tJZpST/fjJNnojE3NvS489CRhwgd+3 JB0mmGAs7cM8chBnWfaaeGLTDetyyc5rdSccS+FFVuunGo7WdcwGN7oCDafO4IoI NVERpeVWSp+8F6LSpLXwRxT+7Ul/HvUVJhXWAqFUQJgqdS4Veu9BCcYjYHL2EQeO 7lC2lKdiVKID+vr2FBn/wBppJxecgGP3cNgmd/EpwmHumX3CkuyKdJxT29vfuSX2 hhSSQfbSjropTyaoFubDWIaR5qiMXA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! If you refuse to cooperate, and don't hear nothing from you, we will publish your data on Black Market. Good luck!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D5F776ADDCECC7E7

http://decryptor.cc/D5F776ADDCECC7E7

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Modifies Installed Components in the registry 2 TTPs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 33 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cf6b2529f92cb76be812caf661460e08bf65d9582ff5ea2d39206c8ead17b6a.exe
    "C:\Users\Admin\AppData\Local\Temp\0cf6b2529f92cb76be812caf661460e08bf65d9582ff5ea2d39206c8ead17b6a.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4692
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3004
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4024
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3028 -s 7244
      1⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2768
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2768 -s 2060
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4308

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini
      MD5

      102794107ac08a5075e6b3a479afc40d

      SHA1

      84290f75232fc201dc54560eaad4c0877d5d968f

      SHA256

      efec0f4e4f7c9b13c367dec992f0aaf4a1fcf6b8dde90e1b02d86811ed461c1b

      SHA512

      6e385261a3ac26a809be13788d576868509cbe5b303dbbb872875bbe254f170eed99f80b27bc4a4d31913e9ca5e854a5fabcb5ffd3e4a860748cc7b41fd484d1

    • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.22lirwk80
      MD5

      774674b5ebbaf41445b0918841704e51

      SHA1

      94275f5089042673d4dd2883dd37a46d573a9b7f

      SHA256

      cf6e6f84feff750707ece4a40dd07df9b9a0df759170fa4e0b065f7e1d1113bf

      SHA512

      e2f8607bf3eafd3dc835a39682094a41125bfb7e7dcff384b2040a369bb791d3aafac77f8e09184f865e0d8cec40deb0606af420b8c3c369d0c4e4bc357feeca

    • memory/2400-3-0x000001DD66390000-0x000001DD66391000-memory.dmp
      Filesize

      4KB

    • memory/2400-4-0x000001DD66390000-0x000001DD66391000-memory.dmp
      Filesize

      4KB

    • memory/4308-7-0x0000022677380000-0x0000022677381000-memory.dmp
      Filesize

      4KB