Analysis
-
max time kernel
195s -
max time network
205s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:45
General
-
Target
7bafd5de1b6724962ab920f71031978a101055f061ae3cc21db8bb9fa64c5829.exe
-
Size
160KB
-
MD5
fac2cf669daebaf56f2fd4b3e0da10c0
-
SHA1
778bef878540c39021b50942faaebf9b473d4918
-
SHA256
7bafd5de1b6724962ab920f71031978a101055f061ae3cc21db8bb9fa64c5829
-
SHA512
0f8688c5f66c99e6951886c34123c5a8882e877fffd82b150810d8664784ea26e445e5dd9b93ed38bd2aff6506df2466286d0500682b6d5ebc4df12c0d0b5c92
Score
10/10
Malware Config
Extracted
Path
C:\cmzln986u-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion cmzln986u.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/37C123AE73F31004
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/37C123AE73F31004
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
ucwpbdkT3TVcDODsDEVLNqnbvmQJnUR+nCpZ4EI4YDdSK4lC7Qeik2SLisE8GfVZ
3tejS3i1zy3bFDsaq2c56tn6e42MzrvzsgZk+vVHzVElU+4FhG7cvMJDYRB7l21S
zB3CaZJr/EKFcfOs/zyWr+qNb7P4ltTvI4KVUB/h7TdOJNxxgcnc9ZGKQ7vWa3oo
xwd6jLfgdZk/5xtdJMjBo6vVBHwIPckVjorDkzeQ2i3EjwDJrgG59I1cUTaL1m5L
p107qjx+SHzAO2ql0JkqEc6LKC0JnPvKiVN8ZcTvWpehLLbC6TVH8gN6bJ8s7J0I
eyq+/6hUu11dttKUtb6D33c3lc0Onq5QHy4jDoRLevUw17g9/jW3/ThoVAw6NfeH
cHdGhRttHfqDu2iYeZV5Y5ZE1ZihRpxWLiLThXqJvvrcwl9O2KV8CGLbD8VHJdP8
2k4D9sfSz8RZcO0b8S7HIUZE1I2qNXwsI0b8iRUjtkQbinOpqK2LB+nvmoAaWXYB
9FF3YydsNEmJMvtcrKlATuvoB1Asm2sqaMg3sGriJLxbYQcnpZ6WPSqap0YQRzxn
0uc2f9DeWXOgQ9Nkl/7aFWEna6wtpOh/5YmSiH/N0iPGwBXsmUuSUKLQniHUksFI
veAqBScedgTeWGnGyheSndYNVFZwSURcILaCP6oOXVo9xQhA0gwwKaNsbb7yhiT6
vGaMbvaVmyhgMaSVddNMLPMU3owGWmkIzETh1kohNPUyvf+f9fqAQGB3RwPVg07k
esZQj2DAxlIOvbLqxww1b3zzU5IVhQK6BARvtZCX7akq1OrE+iZI/sbk7OYptc//
87a99Z+Ct1CChuu7tsjmQNBkxhG08nPKw2DWSaz2Ty2tKNY1YrmN97mRezUFVKXT
WBY3JDdhoszoR29N4wBeiDwiRIGLdtV+e4wOJaCrIcnxvHxf7hKF3Ge7R0FYaVTf
ke3PQbBVVDWJnM8dOv/jN8Y4Me1c9V4zvTCAanjQQ7JCyFkUSKbz/HTLSQRq6JYo
88ykIeuvzGy4MpNhZXnwwkN1UuRAEzgDn1bD2Qf3UCKvCxMDXvwqRaR20Ywfq6Fk
DfCh3E5Hsx4R1s3lggs0OHKfZ4WgOI9jHvLpeH3j1AgPPYsEAQAbdn3tuKrQaYVI
Extension name:
cmzln986u
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/37C123AE73F31004
http://decryptor.top/37C123AE73F31004
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 43 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bafd5de1b6724962ab920f71031978a101055f061ae3cc21db8bb9fa64c5829.exe"C:\Users\Admin\AppData\Local\Temp\7bafd5de1b6724962ab920f71031978a101055f061ae3cc21db8bb9fa64c5829.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken