Overview

overview

10

Static

static

10

c37e6fc624...ae.exe

windows7_x64

10

c37e6fc624...ae.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe

  • Size

    164KB

  • MD5

    f745cbd7dfd4a27653b477836737dbd1

  • SHA1

    8a078b872b61b7b5de9dc34993331249702d3d7a

  • SHA256

    c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae

  • SHA512

    5d66559b96697ad415ed10af0cbce4fe0c448aaf062a12ab6c64349482880695fceac509335f3d7a9eabd951b176391c4025c067a201d62887b129dc0f519488

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\6825sar84-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 6825sar84. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. If you have any questions, or experiencing troubles with the test decryption, you can use our chat on the website, our stuff support will help you as quick as possible. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/72BD99C1498ED29C 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/72BD99C1498ED29C Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: m3XoUsgxv5DgxSltNU+VUcn+3YS2dyo6Bu2YFeG7UgR5hGb4lTxZcLiAUKbwOn5v mL+DfdQulLCOp4t9pF8b/+Z5Y1KDjvKlelN+YgyJo/cWd8FCn9ZQcqDuSYa6QmOj NIDD4ke2QxXDja3Vd9hPlixbPHmfjN2E06qctBB+kfktqn0tDnQr0cMEXdEW3rte vgL6O/FewfgM/v2wOXaD8su2f3b9kQgKY8J/XMs+0egGB1E1sy5uQ6jZMeT/6sjD WesV6V6HkpA63N64qwG/bmJ/EpCEB2WpdDbs5ievxUCaMT1Pqrg5jQQENrBbIOFI V07A5NdcF1eEXrsvdwaYGPUt346WFLBXcKQDyZo45Sg6Oe7ijvnhsy8LvrGUqQlv ZMPm44fIEMWRWpjfZY7WAtduaBFPuJ7BsFMXPB8i4HBtTU9Ve7ZhVqo9/wm+F3+M u8/BR+RzEd88AvxCOvcoJIWLa9dMzD2ROI+cbVeT38xZZLIOBtxBchxbnHrGOmiU VGmuBC2Ef6dZh/ymfX4VR9HpWdLU9coYnHAAF496lF6XQMF0kINwV8/SAHU8Yhyf +8loJ61yfXsQ3zzP3bg6/GufrL9W76dlLlXuqRDk9xjD+C0AVq6LwhLNPSlAglru YfgH1FEVbreh9ZSLT+hZln6lyKS/z+kIDtSWntbwVJoaki46JeGCct4L8pIxzDGX a/utRv1zIhb4RNAaaxjJXHN3u9CXxAhvmGedMw/ZNxf/5+2KJ0+lIBTrGSv1U5pF QQ0RoUITM8PKG03NSfdp9/eo0GuWDunys5pLTbp6wvo6Cbq6y/Py/yX6Z63wwdYm 28Ph2y759NnkIYQ+QaACkv4kLeVIk2fY1OQg8f4PtHnbeOmZ6HkedcoPUP6WDQ11 T1k3FpprXXUCKKzkXtOy4HuwU9+YK+9xglRNTfSUnrkWOMQu7Ljz5t+k/hUce6YO zj301HcKzu+EMrlKBYdRKTfHNIyIwRV7QVOTyY1466wEen+4NKsnxMBY9w6eVk/a kOvBT4y0Eqh7ZAXL4lUqhDpHEEGY6Hcrr5UGi5neUcjYBMq5xolFoCB7Ib0fLJPq YrC56pJ/Inpbufjzg3ee6jke+K/6Y5U0p/PbAXfbKBClPxiO8zFQqKeiydRcczYF 6CUnh89R Extension name: 6825sar84 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/72BD99C1498ED29C

http://decryptor.top/72BD99C1498ED29C

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe
    "C:\Users\Admin\AppData\Local\Temp\c37e6fc624635f04003cceed928160fba081719bfddc5539c02bd349208e2fae.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1080
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1384
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1588

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1892-54-0x0000000076C91000-0x0000000076C93000-memory.dmp
      Filesize

      8KB

      Download