Overview

overview

10

Static

static

10

7d0a7b508d...ae.exe

windows7_x64

10

7d0a7b508d...ae.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d0a7b508d1ccc7ce49b234a25bff26c487a85ec7e81ddf6325e8e301516ceae.exe

  • Size

    158KB

  • MD5

    0cbd8c3308382fa4accd5667339b6f7f

  • SHA1

    6fcdd459d0605cd16f01dcb864082cff023c33c1

  • SHA256

    7d0a7b508d1ccc7ce49b234a25bff26c487a85ec7e81ddf6325e8e301516ceae

  • SHA512

    850d8cdd4cd22b0a569f91d770f6994f05542b21b1d65eaf1ce22699d09bc7606143eae501dea9ebe3eb2e03092ab6b816605bca208cd12501eb693ab8970652

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\c80pl3h3l1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion c80pl3h3l1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32FB57BF41A4B36A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/32FB57BF41A4B36A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: yP9vRjPqwPQ9qSipYTC2DOBkcYqzxDprUDDz/m0KXNSROALbm2FS6irq8emCCM43 wkKo9WM/jpkwAuQFYqmBTl+kHTH9h7jM83tNbPYLcAruEOpr0DBEqoWlllYakA7m Tc500gTaqkj+lrUG1zEzKsAJ4OsgwkW0XCzk0Hbyg8n6erwy5/OWDnRP73mymBPi bYffTEd4n4byU0jhsWqCFBI8etB0GlC+N9UvamfM0BXARwfvZUycxc9Ddi7nrOFd 9Bi+TUXSx4R5w/O8eHNsDKIsAkx0nHHoolV/anynnj23f4fn3298XqX49Ge23IiO myv+nyK/lByqEosB4lhF0uNz4YdKgPiZ5LpltuML6zxDlUjGh3hoImCRaMzYJKD3 T+2aEWP7Koa86W6ic0wR2lu6u7bsXL6HtCi29uq3tXjcfc2uDBp0BIO+F7D+f8qh cc9BGynKaCABaqwxLpw4go4xwS3F5ooB9OkI/gihRMDnwl/BOeb2HFTleUgxeKlQ P1vVd0qED5YxQfRu3aMFeoAWAcrCSnGWVPTLXl/OqgM7kAjHNvTWdcfnZno0vGaW s0tI6I0kxgtRLqN0ha0Glbpabrz+i6E1KLy+ipQbBxZx4RazPvFVcg1ExmjcVSct YxIqX0YQJHJOj9K65FYkFBTGpVtPIabw8Wtp+3E9woV3Wn9P0PJqwv6CvYCfA4OD FXmHTntUNPFZCFQsh9JEj6t/s1t++9z9aZxPqer375+rfkJNhJmiLEIxDrSWnlBP t7r1j4YfLalHohBVjElvKav3wWSAR1Lv/UsKmxY9ki7Q8c0Awr3NxKUCxGRYJ7GF RvDf94vrBxWF0aFvprnKrEqtSfZOAiBVOUoqEFSbmLTCPazJxYJlsY1LD8QJ5oIk FPMcAT1/a/+9T501TsATwUCCiVPq2NC6/ge2eK4wyPjrfoSFEfMGB97YmJ+lliIg gaVI2/HFBJbMdYpNzpAvNk0PRKgdEie4wBwYJRs761t1jwtqbeNdvie6ESzwOcKy 52ebUlWHp++eJz11ulm+LRKIGWw2dD90OiL1MknfsWmuAhaW+Tu3o1o0QbaAXtdd BAoxauQkDU3WaA+hZH3ceulV Extension name: c80pl3h3l1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32FB57BF41A4B36A

http://decryptor.top/32FB57BF41A4B36A

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d0a7b508d1ccc7ce49b234a25bff26c487a85ec7e81ddf6325e8e301516ceae.exe
    "C:\Users\Admin\AppData\Local\Temp\7d0a7b508d1ccc7ce49b234a25bff26c487a85ec7e81ddf6325e8e301516ceae.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1080
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1584-55-0x0000000075191000-0x0000000075193000-memory.dmp
    Filesize

    8KB

    Download