Overview

overview

10

Static

static

10

a3e691b641...6f.exe

windows7_x64

10

a3e691b641...6f.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3e691b6417a17b9a954e2006414d374a412360df42a152bc8a256ebc49b236f.exe

  • Size

    166KB

  • MD5

    8519e6b492bc77e39516032e83809622

  • SHA1

    53401b0da0bf5b345d615e767922be3a039c6dee

  • SHA256

    a3e691b6417a17b9a954e2006414d374a412360df42a152bc8a256ebc49b236f

  • SHA512

    2f67019052dcbf8d41cc4b3233b4f4f720e5e9b48747161e312c84042855bb79d1258c065f7449735de57e300817ce3a242ccdb3016ea6e9d35cf2013addf88f

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\rl13t7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension rl13t7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8F053FC30D4B44A0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/8F053FC30D4B44A0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Xs6V4ND+GzdT6NmqgUF40p94PDgh3fwVtcvYgRDp1jO0wX1825l6O5u69DTejP4c 2A7QbXpj1ydAz1INrApAwNVHv00BI14TTFyNcBtnY/iwXf3PoTxvpc1LJ2OTShBD WHpl/10nO+nxrJXxVBSvBBPcu7KF/BRVooqB9+LiFQfr7vA8x1x9t3h7VOfQ/jyR 3RtksDvi7lb0sc2tEeKqIwYHXVyBAH8PZmbiLvdt+iKhmQPIJ6tIOTLPckM/0ju2 UyA1ONKpFwtIeN3itOIdxzDyDZDCkWFYESG/cod8ezzPNufFmAe5pIVI3mx3zfut ebinm974NTlLsueGtFhZidA4Zp+tJPROOYNGUBaPaHYK2veMVEXH1g0iym1xH2e/ nTajoY/X36Ob7gkmamlHzuuClx1mfqEm5V6YD4ct1TwDGhwMDQ2EdqUlNOPldCe0 gNcRspRogPKnjwqWMiG7TZcKxTxVUZcNNWXmUgH1PXCSlH6pwTN6Fy/A+pMRIEWO KpFXCJWz/RUX0YqX/ahPUwlyhjq9BQs/jBfn5m6RPI5Nxy82/eiigKkt5SL5RJm0 eQroYhStfzQITLtbV/qYg3y5rsVcFTostjDiEHqmCRiSNRGjUv4AhKBA9K19n8RR Y9Dh35gN8f8HgC4lONbibDupmWJvnhazrbyr9oIGiwFBRPzWVCO0ds3bNOgNcM7D zmUkqWiyQs9XfkpO3rCFAais0WtRqtsuwVZCVnDJ497o816y6Do0ewyebGA46xNq SDtMYhMXqTWdaWf1klL16ZhCyFCznIoEgEIZGaeFCOWpbldxkGwGaEuNCKTN02xr FGWYQXgRb8cvXsNggrAth2MhXlPRdT7zdecewZdXBmkarANHMHtcvINEAEvC3bR5 j1gEoiZj3yTC5pWOqiC8ZiDw9EgkrpcwRn+Py5v87NS4ERAP9DspKnU7s0XOssCX vv3hk+DWy2QQGAbTE7T8RqiJw8PgB4Cx0MmmHYZEnnTEhNiI2NsnYvTUJEglMdtf An49ho+vw0zJ92ZgF0wNtMogWrqV44mAOdGR4Ec1PHlnPLti2dID9h1zo0Nid5JW 2zyhV0EU64J75GUooiTY1AL23GQfG6OvhdRb21JNeDt2Xn5xGzlqRnDawZ2vQep9 dkgBIDCzOzFd+DpyCr94pInRvs2Q/1lbZwrIfIqOtSkzLcF22MwnbR7APS1mLDIU DAHo7PAjvovWSHeSlTWCnNztkRANgMXOR7UoTwhIdb0/7kIPlPy/9bl4ORMdp09G Q3EdJ65EPK7umT0HjBOHJvtyETDMq6EI Extension name: rl13t7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8F053FC30D4B44A0

http://decryptor.cc/8F053FC30D4B44A0

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 38 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3e691b6417a17b9a954e2006414d374a412360df42a152bc8a256ebc49b236f.exe
    "C:\Users\Admin\AppData\Local\Temp\a3e691b6417a17b9a954e2006414d374a412360df42a152bc8a256ebc49b236f.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:268
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1380
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1036

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/268-55-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/268-57-0x0000000002430000-0x0000000002432000-memory.dmp
      Filesize

      8KB

      Download
    • memory/268-59-0x0000000002434000-0x0000000002437000-memory.dmp
      Filesize

      12KB

      Download
    • memory/268-58-0x0000000002432000-0x0000000002434000-memory.dmp
      Filesize

      8KB

      Download
    • memory/268-56-0x000007FEF3620000-0x000007FEF417D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/268-60-0x000000000243B000-0x000000000245A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1688-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp
      Filesize

      8KB

      Download