Analysis

  • max time kernel
    169s
  • max time network
    184s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:06

General

  • Target

    c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe

  • Size

    160KB

  • MD5

    4a02e6da82282ffd3989faccf3998074

  • SHA1

    a35e676b41a0870b0426eae4fcf7461842d6a4d1

  • SHA256

    c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97

  • SHA512

    6d28e6bfd39d90b7c2d602941b820fe6f65f227b6a53fcc89fee82b60e5aca572c59e32f56ac7770b7fe135db3ad085499e2505f31405bb6d9b120485ca439b9

Malware Config

Extracted

Path

C:\k8v6l7fv7x-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion k8v6l7fv7x. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D672A7A368DF6DE9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D672A7A368DF6DE9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WIttiet5uhC/c5TztShBBpMlwlJw0N/i09KVu3yi5tNqPjJXncdyh6hVgcduiBRW 7lY9X5HY9HxHfTYzGOJzLl8T65K5yqb7IdOz/U7j2daiNKNkKG0Wn0hxkALgDs/Z BkU7pt9COqwGTXIcFkCkxP9iHpAHfPr5a+7u8kGY3d5j/TIEyVDG7zUYLLksA/6j raosCsvIPyWv4/QkpKJdnGgzKuNsI0SltKu94LKxd7aYo0NKDSWcdA9oBUtcvJIq 46VZ2esm7FpCTSPtuo0An2UIyR09s7ffSQ2+kUAwV9fgG3x4E7Cc3uzIJLUj4iIW 45aIXPqYpaoy8ue/NFYWeLk/J9iBvJsHklCCVyFInc5JA8DxloOSBI6lZKPq9syJ gbV+bVNt0OxvLHsF2cRIH5KIK3vJLPyN8tOsH9iMmS5tHqReIjqE7DJnNqbnQiav ttsJvZck5x6PmWiRI3wQXSC6tBfP2vEkuJ07Ia2DzA6aL3F6p8C1BI9/ZaiTLKrh sTzwD2ld8x33PDxbbucO+ASE+IOt+iAGfmxEH4DTmKPwTOTL6zW/MdDqQlBGdPA0 CczgnjQYH46lMYRCmwATPqa0oaIBKsl3GG6VFT2b7CM9CNOZbrmWZxINVf8StMGG hue/SBTTK8Ia1/hRx827EleZ/fKJGTDyg6AGanmrOskozyVmZyrmQSMLRI/zykqK KxRkuSAxV+JJJvQWcKfpfPEpm7MnsQ7Sv0gXFEh0eI/s+W5WDXArLAESiQzHGBqg LcPYVktsRzuhUosAinz6TP7+XgRGUGbbWjcXeuQColwb98g5OSKjBg6rD7nfnK0E WCU/5d5Zlu0xhnI2D+MaG3G0X6g9VD7MgX2JRA0RQ7+2YhygaGJF0+YLhkS6NPub /uX4psJvK8NyDfbGNOTK4ftix9/AMdT+Cc/LNp1Qm+Z77H5BlMvt3Sm3guo/77JB wr6K2i3Z1TjYiKXu0lVQ3+WAc1bGvIe9LGfZG+evzdjENo2KZOXVTRL3g3z3tfd4 xZt5Do+SGZDb3v96CZT4AqFMCtYe94G7qorb3W3Bp1hlnR4Njp7gU7lEAzscLRXk +ZDhcPHSXfwteyMTdUG1VwnmE/2BfbLSOcjMFlKgQEYky2FuDnuUV3KPSbGLg3uv Extension name: k8v6l7fv7x ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D672A7A368DF6DE9

http://decryptor.top/D672A7A368DF6DE9

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • suricata: ET MALWARE Known Sinkhole Response Header

    suricata: ET MALWARE Known Sinkhole Response Header

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe
    "C:\Users\Admin\AppData\Local\Temp\c5bd0062b81f15f92a9c96740af433d5656271ecef6f5a355bea2ab392974c97.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1700
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads