Overview

overview

10

Static

static

7D5E6782E9...CA.exe

windows7_x64

10

7D5E6782E9...CA.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    29-03-2021 22:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe

  • Size

    282KB

  • MD5

    1e7cc3701e8b0266529709e24cd2f6fa

  • SHA1

    5efac9cd4bd5bc67d3898280046967a2cdc5e547

  • SHA256

    7d5e6782e91871fd6fd5adbd61901443f5b5a18a7bffdf56426924a1c117c0ca

  • SHA512

    4ffcce0f25d7b3fdde59c0e73a4416fc538af9b3ef96f43c15267a7bafad0df372cbcd21aa4f36f0632465fe61e28b9d65c4a2e7bf180affb5b0e4799ca72841

Score
10/10
sodinokibi$2a$10$3opr4kvasuih0gwmilms4ed6m8q/l1qslbtkxvh0cr.7b0wqz23tm7231ransomwarespywarestealer

Malware Config

Extracted

Path

C:\t52x6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Hi there! We wish you to have a good day during these difficult times! We have to notify you that we have completed the downloading all sensitive data, including personal data about your clients, projects, databases, reports etc. Ask us - we will provide you with proofs. We will public all the data in case you refuse to pay. Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension t52x6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). In your interests to contact with us ASAP. Otherwise all your valuable information will be published and sold. Believe us, it's gonna cause way more expenses, than the price we ask. [+] What guarantees? [+] It's just a business. We absolutely do not care about you and your deals, besides receiving advantages. If we do not make our work and obligations - no one will cooperate with us. This is not in our interests. To check the ability to return files, you must go to our website. There you can decrypt one file for free. This is our warranty. If you do not cooperate with our service - for us, it does not matter. But you lose your time and data, because we have a private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FD60647B407AC4CC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/FD60647B407AC4CC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Ic+DHjnfxZZbiljyArfp8ZFNht1JV8kYMDTAnW2UZMz4X8BnDAjjvRRPsuKa6WrI On2D5eJaEMWarEauPuUzGZDx37u0eIItKXay8SPrH4TRxSYHtctRlU5FGF3Gvbm5 DZyvfK0inRtHBu5BYExJhGBsVf+VUG0kQIl4lQo563PzlgIFHw8bN/YhaWl2DhEK zkV/TH4tt3RaufXjyQEXCWZe1gM5/MvIv1li1BFAvgTkAwVWQmAW8z3R5xkzUZoR AtgAh/qyrV3uREGPh5IzFsvFl7SyjWOW7GPJSlZUGEF5tmc7eiWZfzp8/d8kiBLx b0Ej2YCQiD/FlLwGzvKNrZKb6RdZHgN/bJCkV21FGBfcw8f63u5DMSfwSQdR+9xf tD4+05Lqf5Au5aBps0KeZ2++gZ085mX5qq8CY0fqPPGQEqSNrM7W+YfnU9Nh6esT 3phmG0Fe+R8HOwg63d0wGcq3AY9SF0HvjlaxulBGrmd5AYueSQtjLgtykfwMR0Cy vLNlYIQSMfAc5BoRscnZs5y3DuI3lEI4TjLzxJtvhRFop/TekF+sA2Lps9/36XEk Gs2tlmmkFi5a6atI9okqH1E6AxBE86jQxYDE1v9zpMG5Z62QVp8x470UQuw9FEZW avmfJyE9+AX77eyJXveCBWaXxNhQFKmahce6T2cxeHrf8xjGS7zZ7ydXNZQlTndu uBNGSEt0uyBS6pzmcWcGn0xJSWlFVJ5Qet4CrOIr9zFC9PGb0JFSAPvmSjyq0RNo HYPaYbpgtTcqW4Z10IbqsdS3GsdTfXC3lZwGZAZYwiqCVbpbm11xtvKfx4VJZzmB 2pAXsln9ltaBtHhjcgu+Dfu+UCC0fCYAIZnp9hwWmt2rfBgQ1Y65SCBNyZELS/GF TjEhdUKJXHcQzugq+vmn13nyO/UxPN6ZqHsvQbEq1orhDsPi5C5Xg9Ge45VaMfl+ kU/fN2Rh/e+Gnwg/yWRl/h6wV2uWNIQrOfxPholZ9D6I2829ZHAmN3EntxD8s7ET ARNX+POd9r6bTKyfwDXtdMubLv1LyFRsXwPZyND98YTpOPjUmlvr+566nd+ZzzLj V5PDKfApt2KufqTSJ+iK5SS9VXYmKB6P8dlpakfgtptz7xIMCDAe4DkGn+Pt1NG1 ldgkw+tlcAwgspT93Bsylm5Bv+X9UkZdAse/ZPABwlHMTaInEbjZMqLWGcWr4OA8 O5dqnBv4X6IMseaw81cUNpoA9hy6uR3BXrCSO/r9LHt8tGiG0jdNSEsloQAassHd H0UIcQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap.
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FD60647B407AC4CC

http://decoder.re/FD60647B407AC4CC

Extracted

Family

sodinokibi

Botnet

$2a$10$3Opr4kvAsuIH0gwMiLMs4ed6M8Q/L1qSLbtKxVh0cr.7B0wqz23tm

Campaign

7231

C2

desert-trails.com

tastewilliamsburg.com

jyzdesign.com

kikedeoliveira.com

oslomf.no

steampluscarpetandfloors.com

kevinjodea.com

ora-it.de

deko4you.at

samnewbyjax.com

slimidealherbal.com

braffinjurylawfirm.com

rollingrockcolumbia.com

klimt2012.info

ecopro-kanto.com

mrsplans.net

stemenstilte.nl

team-montage.dk

henricekupper.com

garage-lecompte-rouen.fr
Attributes
  • net

    false

  • pid

    $2a$10$3Opr4kvAsuIH0gwMiLMs4ed6M8Q/L1qSLbtKxVh0cr.7B0wqz23tm

  • prc

    ShadowProtectSvc

    BackupExtender

    sqbcoreservice

    avgadmsv

    visio

    tbirdconfig

    DLOAdminSvcu

    dbeng50

    NSCTOP

    lmibackupvssservice

    infopath

    winword

    BackupMaint

    CarboniteUI

    wordpad

    sql

    kavfsscs

    dbsnmp

    BackupUpdater

    msaccess

    firefox

    powerpnt

    kavfs

    ccSvcHst

    ocomm

    onenote

    ocssd

    dlomaintsvcu

    Rtvscan

    thebat

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Hi there! We wish you to have a good day during these difficult times! We have to notify you that we have completed the downloading all sensitive data, including personal data about your clients, projects, databases, reports etc. Ask us - we will provide you with proofs. We will public all the data in case you refuse to pay. Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). In your interests to contact with us ASAP. Otherwise all your valuable information will be published and sold. Believe us, it's gonna cause way more expenses, than the price we ask. [+] What guarantees? [+] It's just a business. We absolutely do not care about you and your deals, besides receiving advantages. If we do not make our work and obligations - no one will cooperate with us. This is not in our interests. To check the ability to return files, you must go to our website. There you can decrypt one file for free. This is our warranty. If you do not cooperate with our service - for us, it does not matter. But you lose your time and data, because we have a private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! [+] Attention!!! [+] Also your private data was downloaded. We will publish it in case you will not get in touch with us asap.

  • sub

    7231

  • svc

    tmlisten

    mfemms

    Altaro.HyperV.WAN.RemoteService.exe

    BackupExecAgentAccelerator

    AltiCTProxy

    AltiFTPUploader

    VeeamNFSSvc

    TeamViewer

    memtas

    ntrtscan

    SBAMSvc

    Altaro.SubAgent.N2.exe

    MSSQLFDLauncher$SQLEXPRESS

    ds_notifier

    psqlWGE

    veeam

    SAVAdminService

    masvc

    sophos

    McAfeeFramework

    sqlservr

    mcafee

    VeeamEndpointBackupSvc

    KAVFS

    klnagent

    Sage.NA.AT_AU.Service

    ofcservice

    SQLAgent$MSGPMR

    MSSQLTESTBACKUP02DEV

    Code42Service

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 38 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe
    "C:\Users\Admin\AppData\Local\Temp\7D5E6782E91871FD6FD5ADBD61901443F5B5A18A7BFFDF56426924A1C117C0CA.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4808
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3284
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:368

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4808-2-0x00000000064C0000-0x000000000A7FB000-memory.dmp
      Filesize

      67.2MB

      Download
    • memory/4808-3-0x0000000000400000-0x000000000473B000-memory.dmp
      Filesize

      67.2MB

      Download