Overview

overview

10

Static

static

10

c55646354d...le.exe

windows7_x64

10

c55646354d...le.exe

windows10_x64

10

Resubmissions

23-08-2021 11:13

210823-gdvketlplx 10

29-06-2021 08:46

210629-d63daj1whj 10

Analysis

  • max time kernel
    634s
  • max time network
    749s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    23-08-2021 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe

  • Size

    122KB

  • MD5

    8a7deb28bf1fc0925142ef2f9bac9883

  • SHA1

    6e9d34c13f303ba3f4e5edec702383e3b293432a

  • SHA256

    c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd

  • SHA512

    3f9298131593033c439d99107290461370c675925213f39ba9ffffc626b9cad6e6e4f6efcd4c1d4761eddb7796fa6e36e1a519617176d53d10e551452ef00dea

Score
10/10
sodinokibievasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\p8e25uzp4-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension p8e25uzp4. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBBD40218BC711C8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/BBBD40218BC711C8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: tx/2uuIjxuUBzpTrTsla/9Vc+T2jLyivqlmtUFkL2B4M5PSIQXcIPa66Qv7R3fYH uPTWcBgEH6bf7SZIy3ATr5Uc0hhgYye0s+x7/t5U9rgZurEe55gCc8FeYmcj9Cyw gIFXrpaVH/8WQEe9KNRfkeGIgH5OPxKvewsbcr1agrUfgYrcSgo+XePHQQI32xTU 7RohPmeYPTchevfsNxfsg/wcxUdof1Eu1iBw3g3TIUTM5VEYtClgdyFrbZFGFSTG 9zK1DcIetlKZXdlcltNLH/LsIIGPGc98G+KFJ3HcXbXGQKi7A/t8lU44gl8Ss2vX 6H3fbHxSFyOVEnTfBYo33E4d5UC5SPFbVGapwNuZiP67AEg3zVletaxSfzFjsj9P RVxqpP4igwkI3xDlxSpIJf0a5yM5Crmm6mXxb4gRmIvKcegkoCLoxO8FERs6XkaT hZqSJiSHNvmxnE1gI19CQtRqcAYTO9aB6iW6EGYRJ/uW4X773ABdk9B+T03hm/+I 98C7jj1uVAcfV7dMw4eNWGXg8riz9lC+T37N5rRphPNSHz00RDpju0nChKaenpZW As8rfo0r5IcQ7sKlkMNj4YzGJIP0YJi6w3wApQ65iXs4TyjAkXTDGNVDpuCyvrBs tmML5TKQJbEqP3zSgdAdxXNiQL/cBAOsL5c0NHBADml5rwnAISv09B1BSFhGwej3 ihznz3aJ4iFo93+caZ/z4rAaeF3BqnMBeoVjzKqcFZtC/KOFplIcY7GpGBqNAebR 3zITM/FjUh/o379L1ygljoFCqraO2quqheMbBCTJUveKjc9QJWrs5zRWGdtBiHlt X+0bZPYruGWEpQhpV80GRJ3R6ITDKs855Fn7J0wOeFoff/JHRzw14ly9rcdi7h9d xfPw1+3LWbBk40eAcUvMEgDmMA7sBqY5f8iuHeCGiiz38GAjCt5rZi0IF7RWPM2r /dmp2hs03vFDB/1jXMnU0ypMWUIxOkCHA+mX95Nhq7sZvCQIWHKo0u+Yz3Xa3xa3 4Vl9lQNRCSweLDSn8OkiS8+E0QgeyC1pOvpb/X9R07tcL79VGI+/gE4zMQLCjZLd Qs8cJkRwRrVWrQBlayLiD7yCs6s1QPC9D6BCXNUFETtWenEMFjSNbyAN8rq/vyDu w2gmtm2KwQUkjNqlUhyhCIyEAjbjEcabZbd0lqM9CGX4wZXYL+2w20rCkby/GW7K Y9vKbkzjiYLYyjxTOoyKRy7It9J3YUj343hvGwYZW6BtV87brigG208kxZkLXP6t fWxlWNhowW0TNOXNpIIbcCTnD1/VtJrKVZppXA== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBBD40218BC711C8

http://decoder.re/BBBD40218BC711C8

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
        PID:1720
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:432
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:1416
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1292 -s 2240
        1⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1864

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini
        MD5

        ca1d90932e3ca1692b2a8747b30611f5

        SHA1

        dcf0ecbefc6a4f274be217183dba0ff85251a9ab

        SHA256

        1f82a472745ffdc4bf663db306787315cde5a9533b766d5c2771729c44acceaf

        SHA512

        07d4de13c6255f86629ebd1a2d5892d7992643bee778e6b01057c6aace3d08723dd57ddaa5d8f860f7a1fd427f9ac33401f1bd34757cc871800491444618fdd0

        Download Submit
      • memory/1660-60-0x00000000767B1000-0x00000000767B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1720-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1864-64-0x000007FEFC301000-0x000007FEFC303000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1864-65-0x0000000002300000-0x0000000002301000-memory.dmp
        Filesize

        4KB

        Download