Overview

overview

10

Static

static

1

7d3a5cd80e...64.exe

windows7_x64

10

7d3a5cd80e...64.exe

windows10_x64

10

Analysis

  • max time kernel
    29s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04-05-2021 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464.exe

  • Size

    175KB

  • MD5

    5a9e750f4d1d2514c496f43b1e20a94f

  • SHA1

    c02a6413d43da9e8299c0eaab2252a20792da5c4

  • SHA256

    7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464

  • SHA512

    8159e927281c9320422132030847fcbd94c2e322bd6cfac2d0c222e27fb11e7eea956df22785a2b19b43dac5e2474ca06c98e0e416162b75d82392cb730fab23

Score
10/10
sodinokibi$2a$10$.f7ipgytyzgmt5skvxp4deexwfyeu6ilqgg3il3orw0f9eevoa7l64769ransomware

Malware Config

Extracted

Path

C:\c1dgmoftdh-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome Riedel Company ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension c1dgmoftdh. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/52C2EDA248F29EED 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/52C2EDA248F29EED Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: lFGgFMjiYYC9zUY9BRoTrUs/GlIdhAC4JkcCkOToQgqiQ1rfglnbDFygGSbBFsVp QfRR06R2rglqm69bjuXlOQzsK/7yOgEI0495zvQf31ZsaBOs7qUHcBU1BJLQb+LX eWqUoHFxuNawoRSkL+aRkjdsDLHfQN9sxL2zrOKW9dZHwD8ms5i1wPBJPAjbznj+ kBCxXJzFnsD49Dz6OXd9kuIkcdGRnUuKb6UmfzlX0XEia7v06w0n0YRHvNHJ+5ts T0nMTOm9YEKSJjq4XOrQmwZ38JadE/02IFuHzaUDF40lmLlhfuzPdu2omCmq3D51 N3mzUR33etRYbKL77z+0+VY7KJGtC+P3NWXFnhDwb1+w/691NLF0M8zA1uIZR1E1 9k1GtrE2ZWg+mrJgdJJgHa6PGU3hwh9VWbpmw6mhW3MwAy9O0gtg/QXfcxdjVv7R vAax12E5K+m/Yj50+DFvuaygsV7R+nBMfJYt35mtsnto+2wceDQ7OyF5fz/IoiVK cH2h/8oNvDle8B50b+zi2SRCGxCfaCJ5pq6bP/1gpcphinVtQ4Os8CQqk3dDxn4m MW9qn5I8IfUtr1hATtngFr9ZH6JKg9F3bQl/r41NufNo7iH6m0/u65NH3gia+os5 SGLV3x5KvyUGcyysxlVKCOpRF1EZVYKFSnXsBNvTSeGa7H1Ro0Z0wuMHLTUVJjTn W3GuBANL/5l7rjkFFWobRAmHmVDc6etteI1Hwx18kGFjci5uFjRhVNRM2HSucZf7 2pP463giov79ifUDBo4/z2K5hGbQdxSHondBKlEn2CpMfdlrkHSHqTHzVsv5iOTi 0BHm2X49GpjkXzEagSf+OdcWfoCd5zr8S1HgP6V1LpdJlmjXHRsdGqcAiYTCVXk9 40Fy6juMJkmCVqVAhZWuq+6ROeehSyVS3FIEMVTox7FaWSZYMrqznJZKD9tQDU7S h/Z/KoBHWN3Vp9TOnylu8Oiy3h4Dwu7C9xf3ifGQHbU+W7P8exFXlwhv0HguTxdn bkMGsQ3f0eEZpovFeKEa9VD0QsJQrm4tUVObMuUy/OsAf5ar8KW4J2h3fkQmmrYR +Br8sJfSZBe61sfnn2sFVLVHEcOivUYFcJ/SQSx/St3x4QOjEj5Maj2oF7t85K2P jjEmVGnYf7expZXmxtUSgIH5VSIe063aWaM/DrTCntJaa79Tcu1qCzngY+BMro+G 5N4Ijh7wpMhSgJV0KbbVqUKIepW6n9rL1gUpirSPqvQrMkLpi2NiyHIUsW26e8ya ilMPAi8nrbhxA7qTJHmyIjdY06pV+vLg ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/52C2EDA248F29EED

http://decryptor.cc/52C2EDA248F29EED

Extracted

Family

sodinokibi

Botnet

$2a$10$.f7IpgYtYZGmT5sKVxP4DeexwfYEU6ILqgG3IL3orW0F9eevOA7L6

Campaign

4769

C2

patrickfoundation.net

stopilhan.com

johnsonfamilyfarmblog.wordpress.com

bafuncs.org

forskolorna.org

wraithco.com

bodyfulls.com

epwritescom.wordpress.com

gadgetedges.com

commonground-stories.com

brawnmediany.com

webmaster-peloton.com

blogdecachorros.com

zieglerbrothers.de

erstatningsadvokaterne.dk

winrace.no

lubetkinmediacompanies.com

berlin-bamboo-bikes.org

delchacay.com.ar

cimanchesterescorts.co.uk
Attributes
  • net

    false

  • pid

    $2a$10$.f7IpgYtYZGmT5sKVxP4DeexwfYEU6ILqgG3IL3orW0F9eevOA7L6

  • prc

    xfssvccon

    wordpad

    outlook

    ocssd

    dbeng50

    tbirdconfig

    firefox

    winword

    thunderbird

    excel

    synctime

    thebat

    isqlplussvc

    sqbcoreservice

    steam

    mydesktopservice

    agntsvc

    mspub

    encsvc

    msaccess

    onenote

    dbsnmp

    powerpnt

    infopath

    mydesktopqos

    ocomm

    oracle

    visio

    ocautoupds

    sql

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome Riedel Company ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    4769

  • svc

    mepocs

    memtas

    sophos

    vss

    veeam

    backup

    sql

    svc$

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464.exe
    "C:\Users\Admin\AppData\Local\Temp\7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Users\Admin\AppData\Local\Temp\7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464.exe
      "C:\Users\Admin\AppData\Local\Temp\7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464.exe"
      2⤵
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3236
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1200
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2836

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsq3B3B.tmp\System.dll
      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      Download Submit
    • memory/3040-115-0x0000000000403ED1-mapping.dmp
      Download
    • memory/3040-116-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3236-117-0x0000000000000000-mapping.dmp
      Download
    • memory/3236-123-0x00000217106D0000-0x00000217106D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3236-127-0x000002172A9D0000-0x000002172A9D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3236-130-0x0000021710100000-0x0000021710102000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3236-131-0x0000021710103000-0x0000021710105000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3236-139-0x0000021710106000-0x0000021710108000-memory.dmp
      Filesize

      8KB

      Download