Overview

overview

10

Static

static

10

89a2ea9628...ce.exe

windows7_x64

10

89a2ea9628...ce.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe

  • Size

    179KB

  • MD5

    dbfbc199086b40dd57c667844aefd9a9

  • SHA1

    22d5bf8051eccff69ffcb3167b939312b9539378

  • SHA256

    89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce

  • SHA512

    363306bca170923bf7a6c47b6531ae7bdc95fde7a4b481635fb55b38298a918757743291a4318b158a389ff36536eb49c3457150d71dce5ee58ead855f62c96e

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\n1e9f2pj3u-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion n1e9f2pj3u. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/06DDE7DC57F89072 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/06DDE7DC57F89072 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KZgNvHA0vl6D390rIod5mK5aGkIIh3q9hvJXHlgGTJFGiYfP9A+lkiYhqpMtSoyO d11d9dMxUDYFN8yDcQj1cGUIoei3DQH8qBOzgE3X9D2PoSdawWcrNFXVZ3aNM+Fv 48EaUDIuRnECfFXagclGdSB9m8mqZroyL5YqnDe08/7+0YWKQeVvYFPkvab2sCEt JuZwN5toJALDIxRlEPS6z3on3RyiYE6AU3XOhyHjRkr2kvWPUHnZ00C5hP7P7MWU DzR592DBAs3vN8aZbb+V8USO0iBZc4ToN/w0lSrxn9Fsa0XDy1rpjaESsViIH/Cl gSgcvLYKASP+NLONwb1JByvDSvMOsKQSc1oR4E8LQ73cYTL2qs9p1vz7YgyY8JTY RAFZNWJh/pwCe9JJyHVaY2IRwram7eNfxcMLw3iX7WS4KrgJsyiEWdOG1DGs4cO9 H95xXSp+mpujLit0RauuT/vWTaUp+SoN0OzuWmHPxXJDjt+v/9ERSo/DakJhqT14 wQIK9DticqPgDwBqIXDsyIZBSsTPB7pP/ZGWZ7Hvo9TKA+XKP38SM3ZnlOmf36UK p2Jxu7Z6Ggw6hlkKkylAUxJVPHset4nw5oxz3xWd/raoxkTIRfYWhYWVoTmZ8ekU gNRbiSeswLvGKj/WrHjfACuC4qaZCOmhAPN8+rwtUl8tR73xGGoWrExZB1rQR+L6 uR8biLyOHOIascXVxb6yhM3mhMMQ6U8P9fCoDtS1K78GX2nISS3avpH/5dsB33NE NotPIFXZdq24n1sizDscCLxIveMyY70dXaVbxncN5chu0sP4uYOUgLiaViZOPEdc AsOgJuYQY+dbTd2fp+Dvim9j7z/JAqhH/5ec2ZRU949vRG8YzfsHWFHgdwISLjo8 TO/0D/yu46Q1B9ds28fYyPGa+7mxM9TOC7WW+SBztcg8Db41lqbKeu93QJsxkLt2 sdGhRniTszkeTp9T5xMV59lneayETXr5e3UD4Oyn3eNRSyAgIx+KWSJgL50a+RIL dkB1FjuqpXcWE+0K4s7cFCVMXGq2zLDIRWC24rRUao0XsTBK2pJyskvRfKFqOP9R 1SyKtDrvU8zLZnzYBwg8cCgl4D6hFB7u+yTq11rV4Cp3o6oJyAIPmT5ovoudgF8R bnAvFo0ZsWA= Extension name: n1e9f2pj3u ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/06DDE7DC57F89072

http://decryptor.top/06DDE7DC57F89072

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 49 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe
    "C:\Users\Admin\AppData\Local\Temp\89a2ea9628e0c31ad5d0abe764b8390b70cf4dbe5cdf198c4cd08efa3adad8ce.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1200
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1304
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1824

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1688-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp
      Filesize

      8KB

      Download