sodinokibi | 481bf0ecceeea501eec4900700b1e691bdab665b4217755758a40fe6d6fd9c8b

Analysis

max time kernel
136s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
18-06-2021 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

智速安全助手.exe
Size

25.3MB
MD5

936f260dac63fa0d43d9a1d207660b42
SHA1

472c5c732f7dbd909dbae8ae798bd541c70e196d
SHA256

481bf0ecceeea501eec4900700b1e691bdab665b4217755758a40fe6d6fd9c8b
SHA512

82056eb7dd60a4267810ed0855d912eab08641e9b20cd47bca94fe0103a15444670735c66d304cb0cd523752584dbe852544aa9bb30a46d16b2d9d9175c59c60

Score

10^/10

sodinokibi ransomware

Malware Config

Extracted

Path

C:\\y42x39-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension y42x39. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7D031C38933EE26 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A7D031C38933EE26 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: b/iDb8yD3CPLliS7y3FLz5VUvNtGlYe12NZWEqvr4p14KxjVGWJ6JtwrbME84S4m /aeRkBMfZfQgto0IXbtpG7bpuoIX33F5407oTRCRXMmwUUFlH3o4/GpShV+5w5/0 hINEZ3/2op4bOiiKxmmkq0PRLghbNWyk20My12Tqf59GIDoYUiXIyAnFVEo1mkQa sfcyvhM/jDWW8swyh1RbxGpLM2cw3g5bYu6GhRfRg3ZFEWk9VSb85JGdMvpM4OLi 0iq4llJ8ik+I0+wlaDauRS8m0U3d89Q+c1qr7+/ZEAbC18iZO1OSSuEPnmHQMWwz l92NSimRn+ZsJckOhwcu5VGsdk/3Pi5D2ZqUocQg959tNtQ3WNr3+RfXPSs6HQu+ JswFnenjdtQQEYvcy5YvqUxPCRFmQ8yaeDdIl6MPzDnQzaGIZ4XAX8bJo1ZrV57u ca6U3hXNcyI/KA5Us5eiseKI6qTbKdlV5afePyoZlDiQwkr8+HyuRSNS3+ui6Tj8 U4CC8UCoaDYXyf1jFBTyfCBxwfJ4fWTNiuMKSlkJcLDPGbv3bn0j9SUhWHSd65Me eI5b0A5LTfPmo7zl8Uh3u84W1E2JQZ27R/Ett5C8kFtcM1RVGWxSqyc4g3tiI4+r f3qQj3ZzInhvKEOuu5LvaHUXSXWL3eM2yPbgCismHVEq1lemg62H5ThZ5c6ztijc 5/21gHHjx3seAMlJL2+U87HLM++B+/Fdbm6W3EZCZTWksXGCuN8Hhi3hO5K/Oss8 HjHsuz8DuoeJaUJdzCsvgFCQrFEMxRfcBABwqDGKJ0z0Msvws/+yMmiCgwIzh2sl cpZPXbekU+YDWj+FKctgq0n7PMJO9Mix0iGsy615TrGgKyASmfjLx+TF41/fJtNw CbnbEczV38FhhvZbgsdH81Fkr1L9cez/+do9dE6N4GrWbx6txDwdsckdh8ID8q0C lCow2+dJMS0rTcwmJtxEa4nPhZcRGTNLcuGzBrCowwiHitoyi8vpLHwMh0s9nHFo aMA0tJYvqIkzyTCZLkBb1gNvoV3n6zIGeC8cqSIEDlUqXgqzSsZbq+ifn25h/z/p fzhTHVAXmsJ6v/GoagUC1LIzoN0xiaG6UdMv01+y62H0XiVfGHMIjeEc+OMU+vU5 UQdYiRinucFahrHKPEP54jmduuoTvdVOnBVvqoCBrtuHIr5I724PErxMim6p7/rX HsLb0zuDRIA8eGbwfdeEXnUaKd/6mpu/Udxw7IKJ/B73Gn8Qb6yxYKmR/lFtrl1K FOuCfZGJueQVAIqfgdL0lw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7D031C38933EE26

http://decryptor.cc/A7D031C38933EE26

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Executes dropped EXE 1 IoCs

Processes:

ZSsafe.exe

pid process

2020 ZSsafe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

ZSsafe.exe

pid	process
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

智速安全助手.exeZSsafe.exe

pid process

396 智速安全助手.exe
396 智速安全助手.exe
2020 ZSsafe.exe
2020 ZSsafe.exe
2020 ZSsafe.exe
2020 ZSsafe.exe

pid	process
396	智速安全助手.exe
396	智速安全助手.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe
2020	ZSsafe.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

智速安全助手.exe

description	pid	process	target process
PID 396 wrote to memory of 2020	396	智速安全助手.exe	ZSsafe.exe
PID 396 wrote to memory of 2020	396	智速安全助手.exe	ZSsafe.exe
PID 396 wrote to memory of 2020	396	智速安全助手.exe	ZSsafe.exe

C:\Users\Admin\AppData\Local\Temp\智速安全助手.exe
"C:\Users\Admin\AppData\Local\Temp\智速安全助手.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396

C:\ZSsafe.exe
"C:\ZSsafe.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Data\1.sj
MD5
c20ae9f76afdb6f73fcf95fb1ce6d9b2

SHA1
15da66997fd4e2393aaaa9b1ef8bb63c87a797fe

SHA256
f7325e1061c06cc42f3aba1656e187ee2d54103484bb02c06a47dc7ee0b0831e

SHA512
5d449b0b84283668d20b2dbde934e28c87a2d6a5bff32a8597c9cfcfcc7bbbff2b723ea244fac8d65683a582e6db55ddfa8f00c1942bfc8c198935f7dac4ff9f

Download Submit
C:\Data\10.sj
MD5
16852b14f23529326b4cb65f1413f4a4

SHA1
723f869bb5d0c93b255fad6a7facaa213206ec80

SHA256
b868f3b24b33fd9b2188c507d4884c2620e7b522776c2b476f15f9fd5feeea46

SHA512
5f804a8a4d902475ad8c618edc3d705fc9a941927538a993e595cde48b026526ca2f18b2fa1dd37007acaad25636c63c7000f2c17e190b37e95e1e00312f7ab4

Download Submit
C:\Data\11.sj
MD5
a0b26208a7401883b5f0b4afcee3bca4

SHA1
036cc968d25635bf63afa0d6047f725833447896

SHA256
f1251294b8dd43931602a12da53b71a034e613734f911457092fff31fbbeeb42

SHA512
218a79659226047b4abe7a118388af3bb1d53eee2e13ce687d74264ca859e50282dce39be4d798a7767d659e99578e3759916dbbba2a6c678d7dca215468699f

Download Submit
C:\Data\12.sj
MD5
53b83aa18cc3689c5032d327022a3084

SHA1
3b9da2f8e327edbb756792a8dcdac4d364b91040

SHA256
4b4bc3acfa41dee6e3a4690e263f65074e5a41afd9c5e398f8fdf6aa654c6947

SHA512
a1b35b9694c773159825799d3f80ee349522133d4cc7dd16d63d05c8b24738ef90d30513fa8f9f650d19787b5c6e980c5a143fc9552b9ff6476682ae9512eadc

Download Submit
C:\Data\2.sj
MD5
1e627b94da9fdc4b690a88a5ba78c36a

SHA1
9ffa5fea1657f7e39473e927deac18dfeb627d05

SHA256
d3b12cd97714fb396f7cfff05235169cbab1e72f6473e78eeb93480a0b3c03bc

SHA512
50e8b45cb422e18fefa1ecbda4fb1f75e95122dbf0d579301ef76c0d84d3d08cdb4890544c230341c5de88fa4f4e6aeac4b7841108a8a2f1ad6ea8f545b9b25b

Download Submit
C:\Data\3.sj
MD5
c5a9e5baf53fc517f46e466936b8aea1

SHA1
f05e916f05f4e449ff74d38d30124bc63412a213

SHA256
bb3e4a87050cbe4a0b657ea873442b915c4ff5c169bbf173b99cc66436e2f587

SHA512
95ca4d77549e712fdb35889e4eef61d4c08d1d27d9635df03cb36ee5c529f63a0811e49db54886076b9790c6bceccb5130fdaebf5ca1e3dbce7845d89957a07d

Download Submit
C:\Data\4.sj
MD5
b8804a4f516dff44b09d738e2c62f796

SHA1
6d6044c5d4bae3fd4ba91df46534238b2440f793

SHA256
57afa5ebdf825fa33c1e12f716259a80cdd78f547ed2cd81f497067531f014d5

SHA512
498ae7a557b96027ce5fa8dc94c83818f78b022447a89f3e313728c84d95cb4184cabb095acecf412a188e5618f5fb96ded77d3b7953f7c5404745a5b0aa54b6

Download Submit
C:\Data\5.sj
MD5
28c546d135cbc6ba5bc09d3a968183ca

SHA1
9456683c182a31f332e354583ba8666fe264230b

SHA256
d4a667e66ae0f2235e63c1048f6b749d8b461932e448a79c0ff8da760d2b8f99

SHA512
ad786c86e8dd7b950629b0ddec3a1a7b276daa618f64fd4ee0707f7f1c77df0a14b377203ec91fe860fb2eea3b7d1e7d7d3ae5e667d333c7421099b4adc4a981

Download Submit
C:\Data\6.sj
MD5
d12578946c310c19082bfcd3ede7a5be

SHA1
c367e3802bca3631cf87430bd6e51c4fd87297bc

SHA256
3598ed4a8ca8fb4aa399f1817369cbc73956b45c2f69334493ebef9e932a9389

SHA512
ff5df09a7b7e82fc16d4a82e4b8b2a1e5aec01cecb2af8b7223fe6515c32ce22d616c5d1b061e031f08e11ed4b15a614f4e6d1fbf309833c4158e336d83b6198

Download Submit
C:\Data\7.sj
MD5
e129e1bdf5cfd8e8ed4873fa00143c4c

SHA1
b13b090715c7fe818813e7a8961a496a3d57dfc4

SHA256
15ff7b216341edff8d128e175a8bbeb671a549db1293e681d33b718ee84a77f9

SHA512
018418553e0f8eea760c00403619257d9aabeda8d4a2115ff46e289c4c9732e4b3e83148ca7c8d62e9cc1ee7d207e71f2ae60e14324a78659c2652d862c9e058

Download Submit
C:\Data\8.sj
MD5
f7d27ce2e88da521b568796d267e2afd

SHA1
9e0b7a7b167112e31221988f04b8331de189d2a6

SHA256
68deb4d7966724030dc52d2d411eb38a6930a46085c8a2bb454487e7b3e6dcea

SHA512
3c6d20687c106abe5991159977c743f59c19cc7badfd14bd0f9e906014889b5fa5198d4c3b23a31fad3194a9e3f66fd858cbcd0fc48174b4e6196f7e92859d92

Download Submit
C:\Data\9.sj
MD5
427372fa8512086dddea2ca9373c3ba7

SHA1
27ae4b749c56ac9c7a77ef90799a487d43aa8179

SHA256
9dbbb591beb54ce1ccdcc1871d278418c2fe4d5e40d39ce391e529d8d59e9206

SHA512
074ce6a5a31813f5a05ca48bff7a70f137b98d31dbedadc07a99c19bb0bef157498c6daea1db10fd73d2896a0539264d8b1294c5d5e4db81e2ec2a12f5b18a80

Download Submit
C:\Special.dll
MD5
a2146a58d6251ab47222e68b226d029b

SHA1
f923a64872177950711f9450e6507671f5baae14

SHA256
f84b48d814a6531f722a3ff1ca51df9b7a1200a644b0e80c13e9fe1395002eb3

SHA512
d46b7a2f1b739ab553cc0346a8b19feb1765f854b264987853af1b826fd91de7a182809ed8c14c38020fd2fa37cb8c220f0a68c3f7347f152b48088f237d8443

Download Submit
C:\ZSantivirus.dll
MD5
fa6ac34f43c09064641b929db0dd3b22

SHA1
5803f03b747816aa385406b64814100c4d492d50

SHA256
1f1b078f257c1f9b9f8c74c7035ca547a721d7043a032f048378422992feed01

SHA512
4ffc579193c337fea78d8022309c2e626e181a1545822b6097b5d4f16a6d309ea9d7a27a23436ee1466bbe25d08c0c7919b69d6576fd8791cdb8c80b9d120b1a

Download Submit
C:\ZSexpand.dll
MD5
e2a305a6edf5792a63940f998580726c

SHA1
28e698d656c7a542cd206c9b0053e006d58e8ed0

SHA256
30bcd7382aade6d3bc5dc81e675f14b41817a4774c5c71b1ef7c996d5a3352fa

SHA512
3c9015a1d734daada471e2fcc1628f55055057392acbb66adab4b0c171fc0b79b24f574b093613c440d1cc7421e16be1693495fe56f8e63d993b2109fceab535

Download Submit
C:\ZSsafe.exe
MD5
207811d669828366e60e9277ab2edcca

SHA1
35bb1d01e12b8f5c3338c744cdf82a34b29d201f

SHA256
5a161fe657f36e5c866ad99d0fb2fb47106aaa18bf8d5491460ae70c8cf67aaf

SHA512
d3fe3387e43b000417cc57699d605dcd67998e06402be3b2ee03291d06be3d671cc64639c2b2d12e84e9913be16716cff5ad08b5a7de2e4ed72564f7b51801ce

Download Submit
C:\ZSsafe.exe
MD5
207811d669828366e60e9277ab2edcca

SHA1
35bb1d01e12b8f5c3338c744cdf82a34b29d201f

SHA256
5a161fe657f36e5c866ad99d0fb2fb47106aaa18bf8d5491460ae70c8cf67aaf

SHA512
d3fe3387e43b000417cc57699d605dcd67998e06402be3b2ee03291d06be3d671cc64639c2b2d12e84e9913be16716cff5ad08b5a7de2e4ed72564f7b51801ce

Download Submit
C:\set.ini
MD5
9eea1ef5d4b2c6a0566b408cb49a52b0

SHA1
deea4567c4a08f42ad9952ce3899947cdd61f372

SHA256
cbba29cb8c4cfad5f865f23d6b542a801c777fadd7ef642f5b9f447cfa66aa8f

SHA512
db34684fe89399f5dbb9cac02636f2045f6d0079b0ed9f95ec0499967015a7726b7b25edcb9ce356acca49626312a62e8954d61746b85a34a66610d16d96614d

Download Submit
memory/2020-130-0x0000000010000000-0x00000000110BA000-memory.dmp

Filesize
16.7MB

Download
memory/2020-114-0x0000000000000000-mapping.dmp

Download
memory/2020-124-0x0000000000400000-0x0000000001264000-memory.dmp

Filesize
14.4MB

Download
memory/2020-123-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/2020-122-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/2020-121-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/2020-120-0x0000000001710000-0x0000000001711000-memory.dmp

Filesize
4KB

Download
memory/2020-119-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/2020-117-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/2020-118-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/2020-143-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download