Overview

overview

10

Static

static

10

ac2b1feee5...79.exe

windows7_x64

10

ac2b1feee5...79.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac2b1feee569f5fee141f5fa5fc42a3225305e347fe2b1807108b2402a098e79.exe

  • Size

    161KB

  • MD5

    3243544de4c345973a4a8a10309892be

  • SHA1

    0412fc7aa5ead84606f7e7494196f264ba007307

  • SHA256

    ac2b1feee569f5fee141f5fa5fc42a3225305e347fe2b1807108b2402a098e79

  • SHA512

    76f31987f166fafc9c2e1f92a92175a081f88408716cf0d77d74b3f829b72f474c1d1268ca5a34624bd518ec40467e6af7df475eed7af5727b2b7a1f8847413d

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\u6nwamv3y-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion u6nwamv3y. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/002C21D05E8589C6 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/002C21D05E8589C6 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: byQk00QpyZ8cNUobpxK2+FOtwu6u7qXha+P/ZE0nWj6NTmgm59wuq0jRMq2hsrtV LzUH52yqaqYVKRofbmbv9UIFRVYFlWP98CadhP22xEW53hKOaJ6nXUtsEWAOkpg9 NeT2C3wDVvT2MlknuqsBinkuocgG4DiAF9gqT1q4B5p4Z8wq01jdOyBctlTfjfSu ZTSDYATMH2l+UNeWbQzaa0myFGx8rNf72Jjm/MWTcEZS3NAUX/XAr2+fZ8qvZQFK fp787Ki0m/5DAz3/QogmJRwQxOXw2RHlByHxP0ofUzk9zEONeMwio8yJM3Sc4NpL yp5KRhecF5U12fgYezYgEEhsaxWiE3iXoa05nTSfhJNdqzHh2QQGTtMaIGXxaLET Hn3TGv7QiYoGikJqpZKN2qN1G3HkcL9IDSfLrFuUEuS7Cr/KqnMuoicNhvqIrVy8 qBMdOPSwJGS4EDkUIyjMXtm5ghsxAKJ74Js1DNl3TSrHPCmBW3lmyuA2UkU0bPry 9yIztym/99P7ECXCuTKAmks8nw8XHl6KdwYr3rXAaEQk4y3rVDjwx8b3zpvdG9fO bpq+tlTOMC+iZmp1Xw8zJsNnzBcvDm1hYwuLAR2phOwUy3tDjhvgdSlW+kDhHve6 KbD71lE0+ZJruGjmF1Hv3J8SOcZcurbIZcAmfYImcJbQefNBe9g0+RjyKisN/cMD 5S0jDMrhiAlopGkzJAJmwAQrEyfkxeKeTCD1tGaus+7MOnygHev0lK6vEaccAPHb EO5mKQ1zri5lpTxMdNzLExplexRCPzdk8p93Y9/ot+gWcAqb/EjvJLUBncvAX+ge NBgz7EZzMf10w7zCsx7PFbk7stWR1SeC4b/Q7vGzC6JpzgBjMOrECQO3ku6R2udj tMszKy9thVrX+ndjigHp3SPI5X6Wt3BAhupjSWX1485CBNLmaVk05ZLY+NIwKcWd 4RpuG67qfDAop85mkLWl9NVxR6nvgWgz+YaKOPYxZbAWnjoCueQ284uiJT/gXW5i P6t5S9BoUCnJ89Ie2sMpyXS50LJMiK/OeOJADlIspMT3GxB1RG3yv/7iCazD1kbN 49i0EoiuzHpR0pVDe5KBT+4iuxryVuBx9GF3RjWcYv5Kf/J4551Ejn+I8FmlEMMp ODwXwVNJ Extension name: u6nwamv3y ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/002C21D05E8589C6

http://decryptor.top/002C21D05E8589C6

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 37 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac2b1feee569f5fee141f5fa5fc42a3225305e347fe2b1807108b2402a098e79.exe
    "C:\Users\Admin\AppData\Local\Temp\ac2b1feee569f5fee141f5fa5fc42a3225305e347fe2b1807108b2402a098e79.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:472
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1960-55-0x0000000076511000-0x0000000076513000-memory.dmp
    Filesize

    8KB

    Download