Overview

overview

10

Static

static

10

d21256e08f...f6.exe

windows7_x64

10

d21256e08f...f6.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d21256e08fd2a4db8f28ad73a4aab17048b9f234bcd911d99d5b4f1b1572a1f6.exe

  • Size

    151KB

  • MD5

    0ae7acfd3b1c657788f687da109f4d73

  • SHA1

    423619fd388abb37d11c2ff7ed8e08806d3e4ff6

  • SHA256

    d21256e08fd2a4db8f28ad73a4aab17048b9f234bcd911d99d5b4f1b1572a1f6

  • SHA512

    e1ade9d2a3219d23f2cf10ce29aaddfd5a9d56924e744a975107182e6f7abe2ab4467e280e68a8fee490895d99b68b324d5e1eda6668fb07141112cbf8af7f17

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\c124l1-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion c124l1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B91CE75219894FC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/5B91CE75219894FC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WSKJdtKOTQnVeMd71vTt82Uw7/rqYTUMYyjJFKNk4I50cx/v8uraKj9Zju7+Wl9k 5wlpBooCNDta1QNi2b+kHrvW3INPFsOlMTaGW+T+QyzasOsEsJ1uWtcHvDGzgTtR VVMJ800NGPtlkqhq3hXXCRBdYL79OjhyIPrW84+4KA7KncEEaHa2RZOX69nKBuPZ ly6Lmy8tQPqmqIClK+OhEV21a/xWNNll1YlZtCf81okvQOY082Qaz6sbGlQNPqOn Nha5O9ggohI3L/2vHVkEAw1DQ9eP91x/hJ7/TAlQ1hdvjS3F115sj6JNb4j6jKXv 9AjKJf4/jsZIctaS+UCNRJ3J7EiWBfk6hy0vCOmoBSsu0/nNWenXvxjuj/q1Kjv/ I+k4q8U6tvitap8ACLkppDyHllIUG7uwR4hUve7Rh92nXaQIps/bxf9YsVwPvEhq tdTMZB9REtreA5aVm3e6NfRrgKfGimR1nMic6PTVKdi9KfqcK1ainw4/m5AmkFV0 6Vm9axpBIP2hgiktKGFobKAVGzNGKKA3R7Qu+2+ow0k43jmXgdK7KSR+3LMgY/nS 6nAMIVRJc+NbExVYclG1q6qXoDHuTfoWTJwK9V/joFpk5PFbspGHuEvTOXw4uRU1 PkPKa8YnMG+9gEFKwf78SZeXQtkHFR6f9XZ4DUdwFAPOTvih3xa5ioP8H1zIa5c9 U2GAMcfZZYy7quya+lvlKHX3z1ypXsyqNFXU9IZdFIgQgbcX0YZjqbRXDTBM3uge U2vlYoWKUsyzt4Gj09AErrD4KpDE/dhsMqaP2paeqXihrkSpMb0nV3p5yYNYKTgH QI+HIRRi+1Ibjq92knXRi8n7KEppjXD7td4Hmx2EoD0CUpnY+6oxbfzCi9BglnBn G8z3X4tev14f1+3UDX8Bx7eqtQaMddZzNnqPJzJEFqBF4m0UO37BZxPG72/g/mJC GT037PTo4O7lIeEuUmWBoM/bLpwHAL04E9r99RMy4xvhnxGEPsmU5bYIIgYe+ZNe VYifQ6v+9t3bdMrMhKH8sMswI0Df+J0iUfdKeGx0rOu7U4dcSc7fLt18NbJs3RHK UG8H106njf/i+FKaYQ0qDHGPmQax81m9aDWygAxFWSXdP0ehy6WD0cpN5Vuj5xbL 0zXZwga+TkdO0hKPI2NsCbTT4N7OUuOV92Z79kKsMpAZTeK+A53FAYIgIAxB3nT4 6clQKZiL6qcSRcU+QVl3yBPnBxZ6aJqYp9R5CW+ImfYqHhMO8/tyT1lcd1uHcAgg 9ZbHSu1gWE46zCRRiyGjcM5pchQTVVKk Extension name: c124l1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5B91CE75219894FC

http://decryptor.cc/5B91CE75219894FC

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 36 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d21256e08fd2a4db8f28ad73a4aab17048b9f234bcd911d99d5b4f1b1572a1f6.exe
    "C:\Users\Admin\AppData\Local\Temp\d21256e08fd2a4db8f28ad73a4aab17048b9f234bcd911d99d5b4f1b1572a1f6.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1920
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1648

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/268-55-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/268-57-0x0000000002600000-0x0000000002602000-memory.dmp
      Filesize

      8KB

      Download
    • memory/268-58-0x0000000002602000-0x0000000002604000-memory.dmp
      Filesize

      8KB

      Download
    • memory/268-59-0x0000000002604000-0x0000000002607000-memory.dmp
      Filesize

      12KB

      Download
    • memory/268-56-0x000007FEF38E0000-0x000007FEF443D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/268-60-0x000000001B710000-0x000000001BA0F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/268-61-0x000000000260B000-0x000000000262A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1572-54-0x0000000075D11000-0x0000000075D13000-memory.dmp
      Filesize

      8KB

      Download