Analysis

  • max time kernel
    165s
  • max time network
    181s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:03

General

  • Target

    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

  • Size

    207KB

  • MD5

    98563381bf9dff3b3e987e969b31ce33

  • SHA1

    bdf6b213a792dbcb74ccf4a3c86fa565f248505f

  • SHA256

    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde

  • SHA512

    5b50e1162acccc13b7e4af06dae5df1ef0b1a2c136e5105bd32188752da566a0434fb532321a5a02ba5e8beab2edbf7e9e13676994d1c2f8940eeb0f674977e9

Malware Config

Extracted

Path

C:\vlnniw6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension vlnniw6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C90C7DE37D5511D0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C90C7DE37D5511D0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: c0hvBz9QNLGuvZM8xvP9Lo/sOVZ1vkb3nPfbaGafxyTPIg/elQTcCLscNcDj/SoT d2fjwj9uQZafAvLR1c3pa5ZkNvOKZshaNgrfvtpAfiZ2zhcQF7e1ColNjEd/6nfU oI9yLKO859oTM5b4H/B0VhOD5n7mau0DaG6b8rvVdaV7CZ9q9CJylntSjLOCGuCD JLzcGEdvUoc+ulPtMTgLYQFjSHobr9r4/x3yMzGTh45vA4wNn4Umoq1Tlb5HK2c1 PNa3JCoSfLFMx1+MdK7djMUQmq63xO6hDAM+RaH3KGxZrcK5hOPXI6d7YXi/h+Tz brkNfJIUKSwItz4O5KDQ1PwVnVxIRESJCwNWJJqD72zr+wISIMp8lktvV4w1dXPc tDfOGhBjrRyfIzazAXvlIX90dOfu7eqNhAtgfXU4htVN7eicj9og+/yvvTrRd0Bi 0ht1Ar0axPt0WMxdI7VeqOWr/Sw127/kcw7Pizc0ygelUpveT7LAWegEQ/8InZhs XSs0PlPyFAgNpiuzmveSKCkAWvK317pyEFpm3o1H8q+5I8s7L45oBJMWXQAkvO1i 7gSDPBxcilSTZQjwc+08Q+4MVNSSbE93Vvv33dTt1ikdEOL0TCxNLuBu2EoNn2va iyL2WOlSBtZiklMzELzA+Z67c7Hg6IanAH6E3n+uny2nUBlzekGfpP/7IbisQ/Fv uG1MfHD8QLtUXI/g8rIsH1QahztoUugOjP4+Lr+iEc8JHKJqx+TFIxMEHNnutUOk 8GOV2W7JUY89grFFSKlG0MthTIPTHjqp0kbI2F8/v4TTesC+mO6t6iRb8nqr0vmU NYich5EkTd9XrdrY+Qz3xMaHpUB7/5z3DUXPf+zi89kcChYCNsw4unXgQr2g7v1L +E2LdhkWozwclzq0RnPDgrpHKZ6Z3RQA5ZaJ58P0bml562UIKBqrXSuulbMCAdTJ PhLZ3x5nNPjD+law/EG1QwR4T6UOu+FWuAl5GStwoG+zBrvf7ngp7iul8KMW0kFP gxBYkc6DEdyUeqkEr1HHVlohch4M7FeSzDKAwIbHWMl2KkVRzwt98e6G40P033AN J5Yo861Ska3JipX5iZHJrusBgVmoAPW1daWFoz3lAKLKZYGb9SWlRR7Su3F/ZhJO JnZjck3mrDHDIJPU5pMjBysI2y+yFq3YxsAW/BWK9+lLsWxQVTm84d+hKE7Uzn2A wXmmfGskRLqwJiU4C9aptAWEhf3K/OLHody29MtXIX/jUYd4wUWkKUYG+J5YRGo0 ZYh12ALdRjMtPkGX/OpPiRjC ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C90C7DE37D5511D0

http://decryptor.cc/C90C7DE37D5511D0

Extracted

Family

sodinokibi

Botnet

$2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

Campaign

3253

C2

pier40forall.org

sandd.nl

thaysa.com

completeweddingkansas.com

gaiam.nl

dpo-as-a-service.com

aarvorg.com

personalenhancementcenter.com

cheminpsy.fr

pinkexcel.com

rimborsobancario.net

deepsouthclothingcompany.com

ligiercenter-sachsen.de

webhostingsrbija.rs

marcuswhitten.site

asteriag.com

edv-live.de

levdittliv.se

vickiegrayimages.com

iwr.nl

Attributes
  • net

    true

  • pid

    $2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

  • prc

    sql

    firefox

    visio

    mspub

    xfssvccon

    msaccess

    oracle

    ocautoupds

    tbirdconfig

    infopath

    ocssd

    excel

    thebat

    winword

    wordpad

    steam

    isqlplussvc

    dbeng50

    outlook

    thunderbird

    dbsnmp

    mydesktopqos

    mydesktopservice

    synctime

    sqbcoreservice

    ocomm

    onenote

    powerpnt

    agntsvc

    encsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3253

  • svc

    memtas

    mepocs

    svc$

    veeam

    sophos

    sql

    vss

    backup

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1740
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:892

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

      MD5

      9efbbace685671cc174a24989e4dda08

      SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

      SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

      SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

      MD5

      9efbbace685671cc174a24989e4dda08

      SHA1

      9234b5bd774ca12b0fe46ce74c80f1ea76d85600

      SHA256

      65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

      SHA512

      a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

    • memory/2856-124-0x0000020AF1C00000-0x0000020AF1C22000-memory.dmp

      Filesize

      136KB

    • memory/2856-128-0x0000020AF1ED0000-0x0000020AF1F46000-memory.dmp

      Filesize

      472KB

    • memory/2856-135-0x0000020AD9B60000-0x0000020AF1C50000-memory.dmp

      Filesize

      384.9MB

    • memory/2856-140-0x0000020AD9B60000-0x0000020AF1C50000-memory.dmp

      Filesize

      384.9MB

    • memory/2856-142-0x0000020AD9B60000-0x0000020AF1C50000-memory.dmp

      Filesize

      384.9MB