Overview

overview

10

Static

static

10

a03a935a9b...b4.exe

windows7_x64

10

a03a935a9b...b4.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a03a935a9bb59abd9b8f5d0d447d9a1895451e17c5fb48f051b549d8fd42d2b4.exe

  • Size

    164KB

  • MD5

    ffeae1d6c63e1f6ab23cdaf01f7dc9ae

  • SHA1

    d886717b94edabddb548c532d55f5b7189c038cb

  • SHA256

    a03a935a9bb59abd9b8f5d0d447d9a1895451e17c5fb48f051b549d8fd42d2b4

  • SHA512

    b38b34f60505884d331b07b801f648402c2ba4ee6f03f30b2f7ca0b9e2fe0269a0a59715b20ecbfa69148a44c9ef8654dbda30b52ca25c06e2f742d9d1952c1b

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\3pzdk-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 3pzdk. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5AA01F7FBF536BE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B5AA01F7FBF536BE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: AeggCKGkm+aF4kzwYoW+I5m/NFZZwWubqyeCCi2HYENc5trzqvSzKaKbY2KyQOM+ dx8RtB4uWbPFWhZdFXgWEGiGuhL8lG0SBip/cTCcF4ERPjrPInbouTxG45OaeQyZ ceV/u0KNKZ36wWnDhcVIZjCsD13CMbCAKjYLdiOGX4/ABaajEyzRRYwKy6+5natD UZHpEL68hImq4t5LIqla/sDjcQTX8KFSKl5wyYKr8FE3DdgkKVy2PXMPZGNt2OA0 cZkFoizoddiiJjLpDNosaL2KpxiA6AKeGFIGwe3fMlKeDBXbeIsgXm9M/PGs+qX1 jGxI9wrGaQpOsQU9PuBSwMKYTr1gTA3X+xQDbeJ65J/NMMIJJABwDsX+ar7gO+42 /JWBNGf/FiHSTLuydAaXh1BwDm6FZAl36j51ElbAy4zMKEuQ9G9+126UD8JtP/96 mkZiMEl0qei6jJNCfJxo5aaFzRxzOT/gihSA1tIFWyIjzbxTHPxp00AGzJQFXXZb lMsZwY9GX8NLCPvTPmb21pyOOA/yIgFXUAhvRM/ZU2Zb6X9mVGiVR9L3GEF/Q4vI 3zhhOb4odxqOtjBHAxjb9Tr9/XmbDGNZMAvzG9hAJiFYqFtJPwrDhp/Gtjmgdwxj zTgKleyGm6HCIo40Bylo4VoA/L0GohG8UJC7jQMVwLuTY53IHVRfVP0MAFiOWLCX 30jnVdSk76Y27+zc5p8ssMq709Jdp/+H24DreUOWx6LSBH9O7oEDJXRLftyTVSlo 0l5GpVwoFpi0YjC/pyrtkpqVAL1ozgj2CnHllAXzP5v1U9MJZNZZENreLr6+7Dq1 ygFXMSC/uDQt/+8Uvz4muyaorjTz5ysQxX+rTj8P5QqAbwIAM2hRKIxvVlexD6KK n8QPDwtYwCTrGzMJo6SA65JPC8DbD6kGq6bhvhFtNhUnINpKQeu60kLAYrqDUaUw Z9/EcsZEVncHfUkaVWzsN9j3aLfXYeXtPGB+MWZaJont5btnhXKCynjx7nDk77Si MsByQR3Vz3Bi2+o3EaxRFpSowiPKV1AeDz1waPiQwq9PLwvIaT8JHwHognQiUpBb q5Ay9yaTLK5Ib9Ig8WHe/rqhtCkIRE8SAS96G3QQ3uk0xAq2rcrlyTxiysM/wraL Extension name: 3pzdk ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B5AA01F7FBF536BE

http://decryptor.top/B5AA01F7FBF536BE

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 30 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a03a935a9bb59abd9b8f5d0d447d9a1895451e17c5fb48f051b549d8fd42d2b4.exe
    "C:\Users\Admin\AppData\Local\Temp\a03a935a9bb59abd9b8f5d0d447d9a1895451e17c5fb48f051b549d8fd42d2b4.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:608
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2004

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1108-54-0x0000000075431000-0x0000000075433000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-55-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-57-0x00000000023E0000-0x0000000002402000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1940-58-0x0000000002402000-0x0000000002404000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-59-0x0000000002404000-0x0000000002407000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1940-56-0x000007FEF2D50000-0x000007FEF38AD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1940-60-0x000000000240B000-0x000000000242A000-memory.dmp
      Filesize

      124KB

      Download