Overview

overview

10

Static

static

10

c55646354d...le.exe

windows7_x64

10

c55646354d...le.exe

windows10_x64

10

Resubmissions

23-08-2021 11:13

210823-gdvketlplx 10

29-06-2021 08:46

210629-d63daj1whj 10

Analysis

  • max time kernel
    1017s
  • max time network
    736s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-08-2021 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe

  • Size

    122KB

  • MD5

    8a7deb28bf1fc0925142ef2f9bac9883

  • SHA1

    6e9d34c13f303ba3f4e5edec702383e3b293432a

  • SHA256

    c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd

  • SHA512

    3f9298131593033c439d99107290461370c675925213f39ba9ffffc626b9cad6e6e4f6efcd4c1d4761eddb7796fa6e36e1a519617176d53d10e551452ef00dea

Score
10/10
sodinokibievasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\j953co8562-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension j953co8562. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60FB08DA683F01C9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/60FB08DA683F01C9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Drnn/+VsgOxqfM8eJCrT2ffxN8nNymcf/zC0DgLWlzhT1R7xkV1yFFz4hleTYkvU 6eBdclcNN8MCi9KcWCko+/rHUVoTlhCVyDqyVe4X9Pmdhnxi+OUM2s0ch/3wjfis AqpCNo4E6znwlbTCWZj/YgJhr2ydYIUxDzt37OJ0ZfokNaxVZecJN7RG0olD/4Rh OxMt6WGiyaoF445s+0I0uK01NGxRAQHz1D+KBspxZTDCWD24KqKATZbe62coxwa9 hedxksbPcS0igK/EeNoKkYtEb/GPhBGe4Il7X/aP87xVVWluoE8A3mcE7jDxpxp7 tpGvH/O8eIkGeT65R4YFBccX4P+0uf0SRVDCPtnjwzXAckDU0n+j++Xvnn+eolSq vlspE+VnxQlivZpVn1D4CE4bkPbb6BUniHN5X8/c0T8PZ7I0sqXS4usrgIACNRt8 9VF0x9OxJTM+5jlY8Cxp27gSWJwnK2qI++l9Lom1r56Xv5s4ofwd7SvWv1jmx8/U 5vQHFGDHj5Kj+VqA2BmybQ8ksAnPuskLz3Q8m6e7b55Z3ez3QmyA6jPs9XoTMm8r wNOzFw1HvXWb6kLxIOeqZWWU0En3lRagf4WvglGEMKgy4IWwuTwwJkU5agPLL8zT 8VSmq7ttGoExuDeTTLb5mFfrTtzwzqlnRrzHzjAbfIuv4HeV/xAmvDLbOUGvnQJG +PjJnlEgAAKJp49I6md2RDEHqN/8Ph1rcchXzMmLm8cF7+naEuafIxLNzcWJVZgo 5y7oRnxdEr/nXYyX8o+8v1aL+H7mz4l7GV5p2n3mF+9P9lTPUyJFXgk8YzTF7ZMO DVx95bX0cxIoCbHgt8ff4AxCp/aNv1iJIGGIKNVMM2GIC7+pfvDxVh6dh0gmpM2T hmZQ1TFH5QcND8ehsNLEET5aOy3EOsToi0VQDYC2ZoO+VlZ473ZlESycgrC6DxTs W4R2tUX8RYeP91TBmHgaHubCgePYVdks6sFtWsrXxiR5949QuYHVjWFjD/BgGO3p odfjXX2akRXDc76Y39S8KKfMWFtHZMi0yPI+EhG6Nf1gNnqguVEv2btn2n7fgqjz 2fvrP4GYYXT+CRfzG/d1VuQinhfmPhjRHAHdwaqIAGhMj5v66og/L0KaGoZ7m/5j PnSEzw33iUeAP94vTCE/BOFnW8V3tduWTtO3U2wWe/cowPDKX9CoMyfKnS4OjKid liCUkPLz60147wnT3+Phf/HN2Jtq23jag97XEedpAcG1LRuvIh2kEI5eE4lIau8b GLFTDUWCbPcVgTI2m74= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/60FB08DA683F01C9

http://decoder.re/60FB08DA683F01C9

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\c55646354dd7d92f9b3252c8b817baf22157610d9491dc7d0f299dad64d8eacd.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
      2⤵
        PID:2620
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:3936
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3728
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2492 -s 1124
        1⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2128
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2128 -s 2088
          2⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:264
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1072 -s 700
        1⤵
        • Program crash
        PID:2600

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini
        MD5

        3e332cf769b55f7ddd344ba5c0eadb3e

        SHA1

        31df5840d2d886d74226bb2f9b9736bc544960e7

        SHA256

        2188b519aabe9334551acd977726c0d544dce91d32d1261856d46427849401a5

        SHA512

        f1be14455d0e92c5f67f436926bf2dc72d974ea511b5e5d62bdbda72ff4a4436671e9aa6a89c7d035f2dce859d5d4c29ed1f316ed3b8180d90155c906875a01e

        Download Submit
      • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.j953co8562
        MD5

        f4a99eba9d300a8ddcf5e219e346a5d9

        SHA1

        65ca71d517e55c96513097b44dbe2efbf2121e15

        SHA256

        f0ee0afe3894cef59c7fd8383da9120ce435e64baacac263ad4ea83fe664260a

        SHA512

        cdb4da825a77535a60396a73b9ac80d3ba7ec9de27677b1f6d9c7ae444d5a175daa0dcfc7aa086d7c84850f64379e987f1eab7cfdaa32d8428fb3c5d6e9fa454

        Download Submit
      • memory/2620-114-0x0000000000000000-mapping.dmp
        Download