Analysis

  • max time kernel
    165s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:08

General

  • Target

    c3673d64eeafc5efafb3a756ac44f72785c28fb29912f61d0640969ec85d0afd.exe

  • Size

    391KB

  • MD5

    3e90448b831a31a59f12426668824b63

  • SHA1

    5ef4d8f05886bc4e5d4f609bcb0d31f8fc620084

  • SHA256

    c3673d64eeafc5efafb3a756ac44f72785c28fb29912f61d0640969ec85d0afd

  • SHA512

    bd286065f98d6624597ed8c25bdc487acf72fd742a29dcc6e176cd0dd783ea2f0d378ffcc435cf655f10c75232af66bb95d1d3fe8e8452058965ecbc429ee495

Malware Config

Extracted

Path

C:\gp7481gi-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion gp7481gi. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2048E42F8AFF3C0D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/2048E42F8AFF3C0D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: fPJm0GkYHoBohQyLid6WQfx5P9NMiJcQxus5RELc7DUuFlabtVgw+wH3QtKBBB6X 1I8pxo9914Ch9+xoYKPvVlHPOsdhytLZBPUlTyJYoINc76Exa3elwLPy7ZUwQbUz aOrLCpKA1JyifVMSKICZ7D3SViW2MKbNQEuhXWl+c2VdgbZYkxSoIpVZx8MYemo/ 8up56Y58YjU7epW2bsUgIJ8nf19KfPPDiCq27ASe+heTD37/9DWmvR8E5sWgN+KM O6RbQix2pv+jsB+G7+DFq39k7PoC1cZt8emyWDC7QhYnglsNaVACVb5PSIiAlfRl 5JCehaW5K+qaYgocyPp7mWfxzhTIaDP3vWEoCwjDhz/iO5YmhD3X2Hx1XFmPr6zy zQJNQ82sLzBFlwcr03ajFxRAKn/IY/vhz/TXSOo+5N8l5D2u4TJ4F1dfvq26mBYH RawRSRMIKvRtEPmWnHSQzYIxkFGRmS2iseh0FC64QdDj8DQVEs0EzUNsEb8RWp/9 fFfTrqhLFgCUCHdk1JcZMYhhQ+8HHkS07vi3qjaUiMPenHzoY9pzowX8eSU2VbZt TfV+WDUKiM9BQlXHgpRgafZ7BmC8HYoG1UQTRb6UO9qDFNcrESQY/U2lKscNJoGZ 1Y+gtQYwx+v27drg+BMhe0JoAXXnHe8oGmJJ90Q1zDeUDUUAXxEkqbQ2Tuzssv+k 3gj8T898UWKUD93fkZOXymnYP8nzKVl50Pu9qXzVPC/Q7BH+W39T/IRMVHIA/4Pd R9qCGp1pMsw1JeYQfW+cq5oj9ycsf2v5eddM+cFq0fiYUl+fLfYSF4vfLOQVyZIm /dD/gDiSq40+iqWnlS/vkfYfYTeSDDkzsg71ZbVQZfREwu/2sTbdRqNS2US8wvFa OaCzbtlMQNXQW3V0tvRP9UanR1EgGlfGU6wGjDW7ZgyGj03/BC7Vt1efblorNvWI ECD56Vf92uGbcy0SD7URyEN0zb8nhyVEmTH24XkN7eEyh3NrdUMgbG8nJIGdd46h niMxJv7EWH/Byt0MZKIyh6Fu6sBK/NRwqMW3CFifzsdVW79WaxdrKA1FQsyoZxz9 ZtOHHPXcuBkooHKBKwj4IMLW5RifM8NzMnHKkIlELoCosiFZDobYLf2cz83P54L2 qeiMK5jPTndvAHNKRa3iEDOW0xPOBUJZFYpWWIXqnKOT3jqAa1zHXSwKnSUJlAT+ kzwQIbIHUavJg+ogiUHaCIEi82gxdjIIJw4+Gtk3x4pj1/N2vcellDwTfhlN00Mn D92Xm2Uf2SfqBPh9d/vLE9fOXQ8= Extension name: gp7481gi ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/2048E42F8AFF3C0D

http://decryptor.cc/2048E42F8AFF3C0D

Extracted

Family

sodinokibi

Botnet

$2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

Campaign

1428

C2

firstpaymentservices.com

krcove-zily.eu

softsproductkey.com

naturavetal.hr

corelifenutrition.com

leda-ukraine.com.ua

beaconhealthsystem.org

acomprarseguidores.com

extraordinaryoutdoors.com

mardenherefordshire-pc.gov.uk

stopilhan.com

triggi.de

anteniti.com

aunexis.ch

boosthybrid.com.au

bee4win.com

gadgetedges.com

tandartspraktijkheesch.nl

8449nohate.org

simoneblum.de

Attributes
  • net

    true

  • pid

    $2a$10$R6jfdY.02Ns/TL60z.A74O5Dw8.5EqXA63YzUP5X2NSO0l.4y0Gfa

  • prc

    excel

    mydesktopservice

    sqlwriter

    ocomm

    powerpnt

    oracle

    mydesktopqos

    ocautoupds

    ocssd

    encsvc

    mysqld_opt

    msaccess

    visio

    agntsvc

    winword

    sqlservr

    tbirdconfig

    wordpad

    xfssvccon

    msftesql

    firefoxconfig

    dbsnmp

    onenote

    thunderbird

    outlook

    isqlplussvc

    dbeng50

    mspub

    thebat64

    sqbcoreservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    1428

  • svc

    vss

    mepocs

    veeam

    svc$

    backup

    sophos

    memtas

    sql

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3673d64eeafc5efafb3a756ac44f72785c28fb29912f61d0640969ec85d0afd.exe
    "C:\Users\Admin\AppData\Local\Temp\c3673d64eeafc5efafb3a756ac44f72785c28fb29912f61d0640969ec85d0afd.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:736
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2868
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1364

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/736-119-0x0000027EAC9B0000-0x0000027EAC9D2000-memory.dmp

      Filesize

      136KB

    • memory/736-122-0x0000027EC4CF0000-0x0000027EC4D66000-memory.dmp

      Filesize

      472KB

    • memory/2692-134-0x0000000000D50000-0x0000000000D75000-memory.dmp

      Filesize

      148KB