Overview

overview

10

Static

static

10

c5f71ac7aa...ff.exe

windows7_x64

10

c5f71ac7aa...ff.exe

windows10_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5f71ac7aa3ec91e71febd389a8b7ac5279dca96b1dcd94003c0a5e8f187c7ff.exe

  • Size

    164KB

  • MD5

    5265f0a3ac7923dbd8652b26f6a6a66d

  • SHA1

    2965318e838ebde9132f1fd847c4f8be2f6d10b2

  • SHA256

    c5f71ac7aa3ec91e71febd389a8b7ac5279dca96b1dcd94003c0a5e8f187c7ff

  • SHA512

    649daab72ce47949921c3d69abe620d7465470988b141535eafc4237b997881450936ec42b4db14b4caf407df9da03eecfe32516d611952489b3493fadad5917

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\r283xtfl-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension r283xtfl. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0F9A74BB1CBF3DD 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D0F9A74BB1CBF3DD Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: t0gxs8CLDTQwr/TQFRwezNzDMiA+33FvykzzNf0l9F4IAxK2pEKHL2y9PqTJUod7 8R0lAHBk0ikumNnGfK8CalejdTlGB3Cw6YxNjYw7d42SgiHK9uaUIhDhzV1Dr2IA 2ZlMD3ol/hHD3LsmDGalbweitH6fIEF9LZPL7fay9mqclErREURJD0O8v7s7MdKp XFE5/6jMqN+7J6uJ6duZtqWEtaEZPywV9Q3vLm/jwN9PeqAdQAews9R4PLE1npiV UobfkQ0L+W9ZwS1ybtAHeugyo5ru9YBt/6Jjz4JP9BtANKNMGNz/Sqd06RXY+Q5d 3PlGNB5GbpDBjZWIG3RHsWrW0QPN1G7GE4G8+yAT4V0vjybnemiwqPBx0h9ye1wl V7NnhBM4CyjgM4vlwykAE7G0WuTUaJweE9yPADEtv/xYdWYr9MA9V4jz//IaA8oB DgTwFoQOP6xvTlH+gsx6mixQsa33ccnWHA6h5k8xd5Dka51KJpmJUMEJCBktf6w8 EJ54SkOY4ZErEbu5B6JjPtDgPbRchSJKy+ilJpbx7zPQIn5xivnyLBq2P8o2Xglk wunN1NwMJEVrgJHpFrgc4XIwAhfn36bE/TGwfMiWH7euDEQk+wGIntvqdBJEk9MM FBE6P1ul/FikF4UnOQEbpI3Srjw5LRSBsT1uQ28cbXnse6hmGz0UPluIXWL+VqSZ 5GB0+TmpbfA5b+f4WW0tHCVno6mQ2kZvqC8dlX05wduU2SFRDc7DNTxQPWAKFb/I zpR/xAd192Nia3UcDoJ5C9j0lUFURtSCCch+Hf7bCgjWV5pQxaPmDxiZmwnetE/n eGEphKazhIlr5f4BUsW+GBGVB0fCdkx3ZnFf1xhwA3jU8W+HH+vJRSoL+OoyKRcg oEq/+7Ll3/wGisdive14psptP6JKE1m0ogvaNe5NyMIY/3hApSdUfNG0ddSK7sWW xjH5BSEy11tBBVkAQrixJ9eLva0OCe91vexHV7D6R1jMEdF8T1wUzlz7VPeh2eha vtf3KIyYgjvbZ1ndmUUwNt0xVC7g1oU5lG3OIxg7bPNZ3wTcEojgIzaYHazF89bM ts3RO2DhaBuj4eUMCfDtT92QC/Z03j4OjnS+ue8JFlvkGxoPtPCUMtdoPWPoCp7e fkF2A1OC Extension name: r283xtfl ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0F9A74BB1CBF3DD

http://decryptor.top/D0F9A74BB1CBF3DD

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 38 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5f71ac7aa3ec91e71febd389a8b7ac5279dca96b1dcd94003c0a5e8f187c7ff.exe
    "C:\Users\Admin\AppData\Local\Temp\c5f71ac7aa3ec91e71febd389a8b7ac5279dca96b1dcd94003c0a5e8f187c7ff.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1960
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1248
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1280

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1548-54-0x0000000076491000-0x0000000076493000-memory.dmp
      Filesize

      8KB

      Download