Analysis
-
max time kernel
167s -
max time network
179s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:20
General
-
Target
ac2b1feee569f5fee141f5fa5fc42a3225305e347fe2b1807108b2402a098e79.exe
-
Size
161KB
-
MD5
3243544de4c345973a4a8a10309892be
-
SHA1
0412fc7aa5ead84606f7e7494196f264ba007307
-
SHA256
ac2b1feee569f5fee141f5fa5fc42a3225305e347fe2b1807108b2402a098e79
-
SHA512
76f31987f166fafc9c2e1f92a92175a081f88408716cf0d77d74b3f829b72f474c1d1268ca5a34624bd518ec40467e6af7df475eed7af5727b2b7a1f8847413d
Score
10/10
Malware Config
Extracted
Path
C:\9303dh-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 9303dh.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A5DA1AA9664BA96B
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/A5DA1AA9664BA96B
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
we4HgsFv4qKDA5tt10xrtwPjko5aVR204pnIAuRRKHixhHdqCAlWGK6jQdfGsmiE
dNcQgMhrofFRJiFI7HicC2rqHA0N7pZxvPfqMPU4fk94iIYbCm8ybEpWiHm2XOVt
/5OKFrIJYSzmPaYCNJj23C9I2SPKIjaUJ7XmGU6YE6T/XKP5kPPzQbiH+kYOVTgN
UYT3/ICMvHtV2Ze9+T6jtVPshUrQAt8xPVRibgqB1mGuDfBaykPLZfRr3MzEPIZF
V/Yyku/M18bJ9oxaD3a8RxPSmtBcUqZFnem35d5+MtPCefrwHPoCXFm2Nkz0pB89
DlTT44t8fI8teqgNgVk4sgNN2z43GmrjIIwPgyEmsB2qV2z0QMoEQcUAMMaEiqmx
usixsKHbaLOh/qxhJUR3ITTHpcw/kQmC0PqTrZQ6CKijLaRujY2sEXbPO/eVtyGi
TaF3dHFzNMuprAwyjmPhMf6KAxYtzinQtP5hk9JVoOPeZQfYn0lqHssqKQdC51zy
ZVpUFeDrDjIBMJwQ456iUD5sydyuSw+pq1vX6en5y2rxeWEVMedCF+K5Kg2rLUWT
mzzAg/cnJlRwEHX8tj7WXw2RVCLjeVCfuFTsRYxH2mv3c99wJo+PiAI9JfLQQmb9
1WcILNUGb4NacltLaykErHe/miogDW8MmtuOo10wj4SAnpbK5341DHq2t07DO/M6
S7znpe4Z0LIfkV35SdaBGNVbzJNxEVUUpyC2Y3PFoM1xD6vlwOlTliGQ/7xdUvHo
wN2zjxSAsqMsirPwFCtzYtdrxxUSJ0fCpy11vGP+mlzLNrAgNGwesybLorUDcDMq
5mlAcAPQW2KfeiZwoU1LpyxO4j+NHeMEpWnz2g516ldsMgS3x5qcN1ug+8MNbnVc
zl2BHSMJ3x5Fng5texqFqWYYv6tAMAgtj24xLxhxbbpQ0MvxNKeBmNnr4I6IMbP/
wgx05qskgIHGAvdWUt+9qDLW5N7G5D+jPluwtXs543fJr7MoKBB1gdOUxNeRJRvX
ojSabAU2HPiCY2LupoN81k6P1Z8b3oYkiJo4cNO6GIgfTfLclNKSstIN4+CDP2yw
vUo8Lvw6mPejEyut98RwZqsSKj0mPZDgl57tqi+iHg9V/0bosVAMig==
Extension name:
9303dh
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A5DA1AA9664BA96B
http://decryptor.top/A5DA1AA9664BA96B
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s) 26 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 30 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac2b1feee569f5fee141f5fa5fc42a3225305e347fe2b1807108b2402a098e79.exe"C:\Users\Admin\AppData\Local\Temp\ac2b1feee569f5fee141f5fa5fc42a3225305e347fe2b1807108b2402a098e79.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken