Overview

overview

10

Static

static

10

17a54bd46e...c4.exe

windows7_x64

1

17a54bd46e...c4.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    08-05-2021 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17a54bd46e7815b74ccb29af6a836dda52b63d5ae46b51c941f93aeca5eb2ec4.exe

  • Size

    115KB

  • MD5

    f4197dd28646000528e651ee1aead23a

  • SHA1

    7b1b259c0b84cae045f02c1d17154673141b6947

  • SHA256

    17a54bd46e7815b74ccb29af6a836dda52b63d5ae46b51c941f93aeca5eb2ec4

  • SHA512

    5b97ed21b885f0f2c6db8c35d27dbd0bfd1e0f1b5e34d566556db9ffe6f7cb38a2c639d8281e9a8798dd31ef9b4075cb57c98fef7243a9a9795c8c8adfe393df

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\ry2r0v1h-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ry2r0v1h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2EFD8E6AAC6D1959 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2EFD8E6AAC6D1959 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: MHoUpsKx2EOufPia8DK/jqR4lQJiYMs5c0bGDsKLPuDjyrXKugamjbdbUHktkMwA 5jzESzjHtXYS6IWAdhqjSwpf7K+JRcwIFW9Qf8XYsaCq/vrJ83ubUwZnsSDMKxf9 G1hUSPrMQcf0DRR5ok5cRy8Ab0u1OfMajyImUt4+gwS3epQGn6xkdni5dYf8kGtR NRO/LItA4yL8/mgiQFR5P6AWJGP4DYdi3XAjHD0/37puA4qoEOPeO/gxKnBDR9f3 lz4bEFlUm7ZWWOm3YxMgVyaJP9EgO7cBrTxFnvyTBKhkRACWM59Rsrv652EAz9Pw ciE2ukb64K0QAX0jyOJ7iZATqLPFswjiN4yzesKXCaTh4K8r3+4436kokkG62Lag cJkDDYhjXi+BKNyNmrXaWI1x9TkM2FzqyDFxsmkcaqJ5Kodv0/+u0U53Oms1BIHC SM1cyPTqvmtz0T9oAWjvu70xJAw8T05Kojj+Ayw/n0ct7AAM8JYXW18wzXPoOjjy +1gcqFmkYyEw7wJkIs++1szMVnUkcUHkkKrrQwKa+1jwskelCDMpekxC+UeMSt1V KjOVJXulkCSHrP0IXBH1ylwFwzu+LCEycQWjQKYIsNkUN5GxcaHDIm55CvkoDE2k l710pB+Z6PjfeHrL2AHBz13biIljEnXvsygPZyqi2eUbSZXuiZRJngjaoNP+snSI vhL7qltdLO1rajCPrnubt6OBytFx8TDphHHA7vZ4ns5FishA7dOx9tct1lPhEUAk IlX53+sMxtBj/+4k19BFK78aW6ritwXaAz27qJhIBvaGsI8XrPzerj+v9UQdSL7V Yf8Fm+qXtDgB2tLh90N/rbwiqjfwFIMHJ8vSscYKRvXGlza2nHeSyaJ4A3OpIkiz DLquHdmZsQxZCAOKB/THTZRg+mdw4AAlswanOhzNsfA42Hi4a/MiF201//YbIJTS 8HFSkmXYkqm/ChvAbgoI6fYp57uZVpMnytV54rdSvjvOrxzaOclwvzmTbewTcqBL /geoRUER6g6Nn+9exJB3tqPZKVsgpR8AI77YK9vgYgYxTy4pv7+uRwQJe7nRtDAf V+zi43UzMuH13BHUt3KRB+2MErSPFpvkOfaiHlqzQnIgurbGPEj+zCEAeUn6N+Ci kv5/O3R07T1nWfNcbwcOJArZ/AYdgNSdaQ/XE9B3RKFK+R4aXO66awH514EUNSMq LGntEcf9MB674vvxZhAdg8Te3cbNm7KDyFKp8socrZdbDjye9oBNTz9oHjO6OrQK /bjKwJuK4e6yAxI3etVZYZibRyk= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2EFD8E6AAC6D1959

http://decryptor.cc/2EFD8E6AAC6D1959

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17a54bd46e7815b74ccb29af6a836dda52b63d5ae46b51c941f93aeca5eb2ec4.exe
    "C:\Users\Admin\AppData\Local\Temp\17a54bd46e7815b74ccb29af6a836dda52b63d5ae46b51c941f93aeca5eb2ec4.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1252
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2596
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1616

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1252-114-0x0000000000000000-mapping.dmp
      Download
    • memory/1252-119-0x000001887CAF0000-0x000001887CAF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1252-122-0x000001887CCA0000-0x000001887CCA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1252-128-0x000001887CA40000-0x000001887CA42000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1252-129-0x000001887CA43000-0x000001887CA45000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1252-135-0x000001887CA46000-0x000001887CA48000-memory.dmp
      Filesize

      8KB

      Download