Resubmissions

14-09-2021 08:49

210914-kq3xmsaddj 10

10-09-2021 11:25

210910-njq62sdbaq 10

Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    10-09-2021 11:25

General

  • Target

    bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe

  • Size

    144KB

  • MD5

    6eaaae60fecab071f00a117bf4992165

  • SHA1

    3f84dbcedf11fd985c4400ccf7c028eb3c7cfaf8

  • SHA256

    bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38

  • SHA512

    d7768a4cafc855cef3cf41ea5417a2ba9c9847a14fd93d94c3d9c9672f7d2f986cc315cdb753b623aa1101b6da3dce3e839f6b01073b798c0550bcf95a925a1e

Malware Config

Extracted

Path

C:\iy2d2y-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion iy2d2y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F8645809FC93C123 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F8645809FC93C123 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 7llsbLMDzUKatMEA5no8H8Uvz25Yws8/cDjzffCLL6uJwvw4+8r+5EA6kfBN+6+o y8TObOaAwSmSVBvmoq20Xz/WSJlSonK/kOIFaqTjYnWAjli5uugwtCiJ5WjQ3OrR mpG+rNN0MIck+xDAklCcZG0wcqShSLfEa51G6XsRQHEuoHfUwFs4ec+NuIA3jVr7 JZ5Y60BFmqT3I+uksQBnAmvRJuwH/vksuNPg7cylx2rz7+Ln6i3+GyCNPcE4IhEc 2KMPy2wG7dEdac9/OocYNoYd/gtba75iJg3QPB1PiY1KuHAP/djy0hw+YbLTyXWm t+MBjWssJFMAEI7IEA7Hfg2K7Z0g+0XXDCQOsV9SAwCAvbiuaRT4uteJD6G6nXQT HV3PycWB4o05jYUfblfUuiZxuhtr/yJaW96SXsxnjjhV/TNdHubzZXjSV9u5wtHf x5VC9Hb84APnDQ+E1XWfhPD81o3wbttka2tZ8ppyr1GWC01B0sdEuncr49zohTnN SFigUbC0Pl1AwpGP2GA1+kTVYPlT81/EuFWeDJ8ZnR0qUkhq41C1ONQfeLF7GtWB 1aIjwEJsMrxuL+05DVGnHh9fnifyPqpYf1RMlC/RZloQOYKO0WpemWL6WZuTgbIz TiqGJSgimdA3oXh7TPbhq/T7L8fY1a0yk637OpPtOlnvBPwMR2GXNlylVpNYdJY/ zshdAYwCsk4Mcv2nY9c/935JaZbV+7UKP5gu+3+S4rrdL21S4dIDzUYg9y9kUjCp FGuv4TWRmkRjymgj7/ySL6ByT51WpEP8jU7fSZipna7SPiQdre+mcLpV3X8TJJYH sCsGWtffYKFpQBxFW8v5F1kLMHFlhcx1Mxa8BhU/X6DznYtNS0F/xMSmlzWCy14d 6RIMD0Qe8f8zIhzZRsMojdtDWUmmyLk0AB0SYO0whloL+QnZxodYs3KKXwa/ucDS pdk03yZtrWf5Gp44+6qhfpA0V78fwdU0+Genvg87MHAQ1nLbDLpyACtwgeC6NmNK 3oSo4y3rwOD8n/kLp3EBsDd0XBdLpk2hfVgk2K9FxcB90WaUTwE9lxFFjNt7x4w3 wM8rA+zhX1KM3EEvFZmiMhV7OjdGRyLxPBTRP/+4qr+C39nEd9rFZA== Extension name: iy2d2y ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F8645809FC93C123

http://decryptor.top/F8645809FC93C123

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 34 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\bf091130fc783c47357403716f5c9c217b5ade94f6385df4402e86135ffb8b38.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1204
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/800-115-0x0000000000FB0000-0x0000000000FD4000-memory.dmp
    Filesize

    144KB

  • memory/800-114-0x0000000000FB0000-0x0000000000FD4000-memory.dmp
    Filesize

    144KB

  • memory/800-117-0x0000000002C10000-0x0000000002C16000-memory.dmp
    Filesize

    24KB

  • memory/800-116-0x0000000002C00000-0x0000000002C01000-memory.dmp
    Filesize

    4KB

  • memory/1036-118-0x0000000000000000-mapping.dmp
  • memory/1204-119-0x0000000000000000-mapping.dmp