Overview

overview

10

Static

static

10

c22affa463...le.exe

windows7_x64

1

c22affa463...le.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    01-06-2021 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c22affa4632283bb0dcf3f389d0acb2dcc4b3acbd1703956c5151884259f6663.bin.sample.exe

  • Size

    121KB

  • MD5

    dda0c20d42fa0b376d1bc47389742646

  • SHA1

    259270268c997a74af1046235ee83a1956fcde11

  • SHA256

    c22affa4632283bb0dcf3f389d0acb2dcc4b3acbd1703956c5151884259f6663

  • SHA512

    2295ea37d6e56bf4cc9710094b021d48962d461802db3b8bab5358ad08287966c8b3f13037f81c6718a87edd90dd965c23246fb05e23b6dc0fee1f0e9ccba12c

Score
10/10
sodinokibipersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\79d3fm61sy-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 79d3fm61sy. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/667DA0FE430F611A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/667DA0FE430F611A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: j6YMO5uNX7dcjaQeryIBaPJbtq0OBtkBJdGyiIHDvAOJoQWqx0bYrjqnoMa+7Ay9 xQWkzpZ49/jecmSues5ZqFrQ3YQ2WHAteXNvPjEV6ZxQRbOfOBjfdkgtTBgeZdbd t59ivKcW55Xb+FcXg2eq2oEaTcujlfQwZgkEIMxWdjchaMMITdz5dPube/ZOIgrY nhg5nvSIvHAJxeJXjyU/tUvnd3f24f9gOIYk07QbcNH0onelPH1Xc3UTTGiWWR7v 8tSAA/rV4Y3Q/WbynkAOP71uXUvv0KBVGXHcfUHgL+ix71mEGFee9KhUIn89YTuL yyS4+WwzTG7ODGv8JmzIRlVlv22vq8FCg35bc29jnkbn1yLVdjLWQLapj3g9oRiA b1dk/zm/439TarUIQ2rAwInIB18PNMCkfcM/yvMDd0RQxy5fxPgoN3kM2FbtPzMt ZKBhjLjRF3ijz1Do6LCmQMjABGqmQentnybEkIJNJd329+4oSaRPRzcrSAiVfFuT SnrZ/Z1GikkwLNjLvlBTyAiiKW8qAMeUc73LAaqpEMXaAUEfFXoovQnCltUk6yzF lmSiOv37ws4U6C4bc45Krm5KNvx13vLz3Sgw3+3Kd+vNZIF0LvJcutRQFYrCgJz7 GkfepjGngIZUjwD/iud2AKVFfB3++r7NJZG4D9KL3Y+KaYk/XxEceWHmX4RQnnk5 cV71liS/RvnRqf3XrJY+BPtQ715Z9t68GEQ8wq2kR+2H+Om287+GhIrl1JG5nkGV yGwHo5zj3vUOuiss/NoDQkmV4i/7aExsVHHTsx0IvuCWmYibOzKQ3P/6oxYpIFD3 XFV86eXBBqXZrtr0OkFewfU4k018hJXNXlp7oLeGdRd5nX2EPfo33nIq/TmRWJCD IlWJt4JycvZ56TcYojk17sv0MmPu64w6C4m3wgs5tEGBp5gTyKRs9BAlY5bdIzPM Ucj7Nn4LcXsHgzCPStILGeClqI7p1WfFBfM99MUNEmz9E14bxmX75EmWRGBk1VaX NUp8GGDd6wWxBphbMYbgo9XoZUI4UdSuUL2gx4taLaMKJKNgPvsaO3ommnfBPzGd D0R2IYVzY32DSLxC+KTw5TNcImnLXl+sVQpj4aYjHXuy/AHFDuftu+hRKX4qyDJN KZbcDqedksfFnT6wwVOOSFNa+aVgemvtmVGCY1iIpzuADkT7rZ/tmTyZKNmU8tJM PSNZ0+/5IGhw2VwBi7cXUbiqP5Xs+wAWRxjU5cE1hiVwcUGO+1H1/MN+3SkRpxVr Jswhh+3vbKWBG2AEOio= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/667DA0FE430F611A

http://decoder.re/667DA0FE430F611A

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c22affa4632283bb0dcf3f389d0acb2dcc4b3acbd1703956c5151884259f6663.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\c22affa4632283bb0dcf3f389d0acb2dcc4b3acbd1703956c5151884259f6663.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1808
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:8
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3016 -s 7592
      1⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3684
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3684 -s 2084
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2224

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini
      MD5

      9d5a414f0cb0657efff729f25fc8c2c2

      SHA1

      ffe199a639855b653bc4d7920b14b343e0a6d053

      SHA256

      27d4731a2c5658659f389ee979c54557f41c8b5885fd02874e1f5ada17510c50

      SHA512

      00deb57e8aae049f092a2b5584199f7a0f443f9fbab5b263a7f0bae3cc75d5313302bd8957a0b98e2d9f5061353a87101494903374424604d9e2f39d382dc753

      Download Submit
    • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.79d3fm61sy
      MD5

      539e874ee6877f58bae482b133a6d689

      SHA1

      ee769bca950479425b5b8b35a30a28e85a436535

      SHA256

      4d07d82ebbbf1376616e5c07b9005a62c2aef6d8e427ba05183549504766b9d8

      SHA512

      1617254395d55eb28dd627fa7f4b1605879f18e5d9a0866386a3c4d3a6f69e79c9e259aeac6414fffed27166a0f719960c9b6b728d018c9edbce83139c3df395

      Download Submit
    • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_04749afd\Report.wer
      MD5

      88c64c02459e549ed03e6ae2de2e8fba

      SHA1

      1901d410db9275fdc5f2d1ac07169d6ceebde8ab

      SHA256

      87e3afb831d5aaaf6d87c01e872e9dfcf62a85aad1831f74808de73a3b696136

      SHA512

      139c1e00aece7a88dd1a40926a12c434eeebc218b18f94e9837e21d65b45c673aac1b7b58f345b7b32e81fd153a54077e1fbea83fe1eeab83f1b740e08287696

      Download Submit
    • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_04749afd\WER9A03.tmp.WERInternalMetadata.xml
      MD5

      b193d2278f218d893820f8559d13d835

      SHA1

      292a72274337becf4376d96b18a844fbb93e8328

      SHA256

      80f21ca0aeae732309da6fba45173a4473ae6281a18a7349c76cb0aa98b9a0e7

      SHA512

      337e6c04a826bb253e33291c6e0473a376337c65028077c2c0bdc080a66b10598653874838e4760c7353870fe6b4aa9f45b8309a63a6102f17715140b3bde12e

      Download Submit
    • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_04749afd\WER9A13.tmp.csv
      MD5

      6a2a7e9e5c602bff78285300c94e54e9

      SHA1

      8e72cdcfbf52db24753f88600503fb85a86c0fe7

      SHA256

      14617ca67424115399e6b3c5c7bab84e63b8defcd90b5ac378a6ae029ec2bd8e

      SHA512

      0ce9b722551825fcff19382391eda42a122ef81fd2f25bd914bedf2dfa46a7b3a889daa72ac95f8bcdc56845c5a25e65df01eb5bb800a989a73c8548fc1a69f4

      Download Submit
    • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_04749afd\WER9A24.tmp.txt
      MD5

      cadca5042dbdd6830b3a22a4dbbbb17a

      SHA1

      85ea61931bceb4b1b8bae4c3a947195a3a617326

      SHA256

      9d4d291fa4d13bf8bd8cee989a85549099e08a86e917280888c21296eedb5c1d

      SHA512

      725493ec0aab7b0a5932e501b95e090fccca5421325b0a13168d2acdea76266381aa059ec7813aa2475c26b699a4f8a19ab5b994af0e050f9263b79386606ec0

      Download Submit
    • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_04749afd\WER9AC1.tmp.appcompat.txt
      MD5

      92498bd0d631f63bd29f2ee1a35d8119

      SHA1

      3c91162cafce68751d5db76e6722ce0f37a8237a

      SHA256

      b3e6ed61ba854c6a921ffff5e8e8df7458811639d772222a3079173061eb540f

      SHA512

      f301c03356676d9338273a9ec1aa029e7aa73991a765c52d8881a6eae6d93203326b7f54fb7d5e960343c5f27faacafcd527d5e7bbe3d082186b83f4f66bc3ae

      Download Submit
    • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_04749afd\memory.hdmp
      MD5

      e5a781688ac6f7a2ab0ba29eebbfb812

      SHA1

      ee538f20ce4af79094876cf619637fd24964406b

      SHA256

      2588869ff1da2d88a695fd5eccebbd2218d0590769c7737e494579b34c120888

      SHA512

      a304409dc646442e1b906ebe2070507c95d2fbebf0f2f0ae2809b5fdbc13baa4eeea4016d8aef4bd0322414ee98acca843dc2ed95ca6bb0b65bf49654d1fbc4d

      Download Submit
    • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_04749afd\minidump.mdmp
      MD5

      15f13e85d83fb2d292afe3041499eafb

      SHA1

      5ff8fc26012a7ff4271759911d699c379d0c8339

      SHA256

      c8531cd4fd7ca743c034b736ecf1d09140a87d07f7d63db42d2416982b2863ea

      SHA512

      60ad72c7dd8728f3315e99406eac84fbe62bad85d00c0f2e898ebbd9366e57842a6d6de1f0de806d456133e582e723d1526070cdae8c7dce8998ef7afd04dac9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\WAX9A72.tmp
      MD5

      d943cee093683a362030c43cb6df7f78

      SHA1

      dc6ed1ca15a0263c46d758f18f698364a0117485

      SHA256

      43e4cba792b24acb602490d9b6869c338f42511bfa57968c51d2fa70923b33b8

      SHA512

      a358b59778282170009583dde9dfd8a64b66fe564768ebb90f7d3cb47b49b55c3c54fd38ed30e1d59cba9c2e128b1836e4d9821843e7f8425174359bcd203032

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\WER9AC1.tmp.appcompat.txt
      MD5

      92498bd0d631f63bd29f2ee1a35d8119

      SHA1

      3c91162cafce68751d5db76e6722ce0f37a8237a

      SHA256

      b3e6ed61ba854c6a921ffff5e8e8df7458811639d772222a3079173061eb540f

      SHA512

      f301c03356676d9338273a9ec1aa029e7aa73991a765c52d8881a6eae6d93203326b7f54fb7d5e960343c5f27faacafcd527d5e7bbe3d082186b83f4f66bc3ae

      Download Submit