Overview

overview

10

Static

static

e2a24ab94f...a2.dll

windows7_x64

10

e2a24ab94f...a2.dll

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-07-2021 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2.dll

Score
10/10
sodinokibi$2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq8254evasionransomware

Malware Config

Extracted

Path

C:\jgz1zc-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension jgz1zc. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CADEBA812DF55723 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/CADEBA812DF55723 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: f+lwo70GxIXOMe9ZUmMV8z0vtR4FgPw6BBIu3nuJkoOSYtIxeie1nTpUnX8IKL20 g0XtAM9UWnljiShvaa6Bnxz25h04o0OvwtdeJcs00mru91+1ke/KBYQWN9+gsdnU IEUdG8lIUigFvAsEnaRZdfBv/WWM5t4ENKyOzzolvp8mgyKdhadSOVei7KrXQXIy QjnzrTYV0XYXHFm/j0GWx+AjUOw2eP1LujvmsFmK7ExtbNuY714ererE32RB7owl Kevhne8/n6NcpF0tAHX2bRmvJeM3rU8WLQaoXBrqpk9REIdNv0jjtkE3cTgi6sRb BOlWal2b4GhJw2ftdmhXM/PoqT/bovCl5D/xh38VE2FH9SIQGPi+AjSLfzkG6Lwp UB/oQfZxpfWS7kETCmUxegeDv4BV1+HJDKOTHv7Zy48oFtNMnTMIEtfKFjIAWno3 s/3VgV/dbyn6kfKKrLMPYxp3byum36Xu9PNdMNLeb7pWdobzQ7a6Pgby9GIjis/l RSwmCgAfK3TvYSqLpxdcd/J9otcg/6gfqqAEPP71HkgP0XLhQsgPvxXy6B9QXg0L +fmhOOIV70Q9ph4O2LJdhDTXIuNWRB2Utyg1TgqZU5MLXjiBVjxk13hdouOW5lOk 3t0tTK7N26ZO28YHSHeT2qLc3Bo456diuokoYqIzfkW1ADpWqnVyokVjv7Bm8UaA EN4vSBpLy4vqg1CWyDx1ZllhSGBVaTY19Mt4DHH6zIV+iAURnJIvrD0Fu2z65R68 mkLfJVLZOvHZuAUb9Vhc2PiV+vX2va+zZU8SbITyfOU7NKff5JYMhyhf4JnA67Ea ZvDRrx7o+xe62BHwFLJLySQSEwU3W21KVE06ke8OieocoRxEj8NUwKbpMKEq3KyA +3c2iKEq8sgTA6kb6q6lIQClTSrFpGfxg7XRGQhgYQn0VWJgLSh1YS0VyS5rgJ8/ gvmjbLdn1FGdu12cw1fNXO+oBfIip1l22EElrBQN1YkEjq69MHCepreu0AA7UmX4 IB9Pv3qBqNI5IxcesnbaOxlbWr6ujE5aATpVQci3/aWEUw3ogJOOsHoWX30Tlata vhsInwYI+nYUI+ozFKOSBuJ0n5j9+581zTsI4tqU0GeQ8PVYy8AIF5/W+S4huloG ORIeYY5+84Hf0uBwpxaSamAxnCv2e1z1mxiXME1BHPV8j1EtwZrDNxjwU3RBea9r TlySMCjR8ilC5XrQBCAj0D6Rk1d5gnem6e0N6uQdKkUuZ3FTQGRkzJYHKiB0bplG GwyvTKzs ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/CADEBA812DF55723

http://decoder.re/CADEBA812DF55723

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

C2

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au
Attributes
  • net

    false

  • pid

    $2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

  • prc

    encsvc

    powerpnt

    ocssd

    steam

    isqlplussvc

    outlook

    sql

    ocomm

    agntsvc

    mspub

    onenote

    winword

    thebat

    excel

    mydesktopqos

    ocautoupds

    thunderbird

    synctime

    infopath

    mydesktopservice

    firefox

    oracle

    sqbcoreservice

    dbeng50

    tbirdconfig

    msaccess

    visio

    dbsnmp

    wordpad

    xfssvccon

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    8254

  • svc

    veeam

    memtas

    sql

    backup

    vss

    sophos

    svc$

    mepocs

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2.dll,#1
      2⤵
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:496
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
        3⤵
          PID:2344
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:3836
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1296

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/496-114-0x0000000000000000-mapping.dmp
        Download
      • memory/496-115-0x0000000000B60000-0x0000000000B82000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2344-116-0x0000000000000000-mapping.dmp
        Download