Overview

overview

10

Static

static

10

85b302cc60...d7.exe

windows7_x64

10

85b302cc60...d7.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe

  • Size

    164KB

  • MD5

    6244071a79f902d38b330234e659e1c7

  • SHA1

    39c8ea52884950364b18eeccba7bcdfadc263cdf

  • SHA256

    85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7

  • SHA512

    072d42f0177a5772442eb7e07507a4cbb2105df63e3015f1556d56def4d801e529f585b8447999090dc2a590177b0f4b1a2bc63a38d60adb4cba7fd080f6c402

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\How to decrypt a52iae-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension a52iae. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4634E5F7AD213DDC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4634E5F7AD213DDC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Zvkg0bCB9XDUiFkSTPNxB3TfXWYmkg1GblK81LNAFejqOek3lJFR3JYJaDZh26gP PXOLmvbttSHyKH/+k+9NPs2tDqXUB2Fq0p7NhOQbySYbC1v6CJyOl1c0FwSluV3x OF/LVIaJ70JsGq9bte37viYXCn3SUR8LZkqkFnCFvOexuQI3kG1QL09IwWCv0OSV /QBjAUKTUXTWPSXyiQ1/3L0Yz/rm7pfh40OJUBEqXL0iVWpQg7451xC6l0Ho5H+I Wt4keUUrPFR5tHg/xpxqBlW5bBzZfINDH96R+13HaDhUNWlsW9U6whFt34uqclAH jdWYz5Sulw2UJWuvdciseXeQoSIWean0RTZWLqYVH2x3bHs8WEx7yhq60OrrcQ5K S1kjixImPnL4G8mStmKvjPBCGdkAWXIsyJExRAN5CwCrlQiHrjbx95UdpxbsYYMe 62SUcXfFHTVnftt5kjD77XS0rbxyMLQV8AsyMWh8DBSsZ2BZ5Dpzj/E056C/lRB+ RDm2Pzoyf2SqvjSCZh7CoIxjMmlG1b63Rh/NWG2kOG5g4gc1FG7xRIrxqkMWOp5O pSkh46rho+1CR2zlfRoLfe5vb9ITjvAEk5J0VOaO5MyyDyiTg4AhSVAkZnE7lAsw ANVxhFLQjELO58vGpXJdRip++KW1L9AvsNRFze5bnnG1h52XKv+FZZaz5mJ4o0vs /AkdNMyV8ya+RnHnRWUBTG1goaTjOqWXwalgOTAFQGIxaF69VML631GQ3nGjYOSy T2Q5pucN/CvBfHnwtxI7V/ZzWmAkS8yQ64gwQyXSKY+BJQlSIhE9HHny1YutStO3 NyJnf2e4XLRRjvrV/QvDjtk0Tvn7Q5gEpxGUgUhzaPqzHhoyUwc8Gi0tCLVZT37H nzgnuGGWF5wJsXtd8agVnjZibC68bcYqYRe83U3UfrmV41Fdwvr7Nui6l1nkQK2s I4omWn81IY51+j6AsWNljcqvcT/zw8j4l/2tYxja+9726ruqEDOQT4OIQ/aVTdve h6R5EHm2T9aLtbw0NqjtStr4UVU/eKnmVpiY/RYvJ7kE3Q0xEc9HdOQXjkWwp3pI NwOyW0eMl3Pak+KZxDmzy682MeNrTHUAZTsDERjJ+3MX9Fb7iSOU3uUxewhgvatA COlEbQ== Extension name: a52iae ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4634E5F7AD213DDC

http://decryptor.top/4634E5F7AD213DDC

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe
    "C:\Users\Admin\AppData\Local\Temp\85b302cc60b348fcde265ff3def78bfed528dbad0590497ac69885f628669fd7.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1288
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1632
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1104

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • memory/1288-55-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1288-57-0x00000000027F0000-0x00000000027F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1288-58-0x00000000027F2000-0x00000000027F4000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1288-59-0x00000000027F4000-0x00000000027F7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1288-56-0x000007FEF2D90000-0x000007FEF38ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1288-60-0x00000000027FB000-0x000000000281A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1668-54-0x0000000075B51000-0x0000000075B53000-memory.dmp
      Filesize

      8KB

      Download