Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:29
General
-
Target
9afde0c6e964ab81b0ae4d3cc9d5d524105a8e8536803e87aeac144920b78f3f.exe
-
Size
203KB
-
MD5
e76205bf0f4176dffe23667fcfbdb664
-
SHA1
9a7b395eea6f829ce35778746ca03e71bb5e4980
-
SHA256
9afde0c6e964ab81b0ae4d3cc9d5d524105a8e8536803e87aeac144920b78f3f
-
SHA512
46cfcf41d72647cfe4812b79148cb7e002bea2425e496b9f241f3c6769ab84772a2aefade4a8d8ef4c3e9dcadabfaebf920a4d6dfeb8fa85933b76c241dfc8bf
Score
10/10
Malware Config
Extracted
Path
C:\2cyb754d76-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2cyb754d76.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C44AFA4B9216FBCD
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/C44AFA4B9216FBCD
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
LZV5xXj1vwl1B0HdC93RP+CFKUODZxgbEYcOdcDKU3GrLkFkx/vjblGZNMRe6d/p
Xj+PhhX08kaBRw02c4XAXJR3TXSPBL2G7+bRC0oUbF0TpxOTd9DGY/JQtJJojmAW
riFaEOpUqfmQUzM9UmS0iNDZMQLmd/NnpkU/QwEM/n6JvSLAe2lrBwlqPZlXEUP+
pjA5k5bP4AcuXuCf3ES6EIY2eoFxLnzWhnWvX9snJi6kIzfpbbwjaDbksFPV74Xf
8eg62K3nK0htIVCcNNFvbr4h6uEoEkRhpXKYfzetwNn+JO9emIWdIhblmi9p4uQv
SGhaGW7oWuVcdTfBD08zno/ZRTjKwlDHCE0KFu+Q7Nf2mT73Nb1qz9BatKE0eUhu
7YQfWmx/0dnnPuFZSuAq/OedXOBcO7twr7EvYVjIWnEr5Cq4zv2WXxoc8A63qcO+
gAfABTnOE0CbZoMUgM0xpXm9tmAr+aYJ2MYjvNEKIIzy2aj4eR/+OBrsh6CD0fQX
sgFUYX1GrajuuI1k3xG5gfztOHvjEfTY535L8y60A/5TXIChk3AaPVL9nuwOpftK
dD83yTz9SmxXSsm7au3yjxd04E0XhuGoccRJk2KPJ9vsFiyKMvKfNgDooa7/XnLi
gphUfYrHmxlJjNdHQRJaRPKoVWkLopqHF3j5mV4NE3HajMr34LlEsHHheKzDyAtr
N4BrjKhY2eCwY8zCXf7fIANxiM3FEAHrTXr6MlrhqOQw6bwkoXNOt/JsOXFszoYF
nMjKl42pZEtzLq7iT8s4TtZk3trpF5PrwdHdDecb19DI1Gb6HAB+Rz6g6dfSBwrW
rS8Tf80y687AMG+osuDVKPSVWyfAboKKre29BLvikse5UdFollfFB1YtQVhpSYpc
le5Fp8RpzHvcYFaFPFW0Zc4O32XTRPgOJJbTdlvKXx/C3GGCYoKWnXBglXkfjLj8
KmQTc8hXjmITJMMAgk4igWY+hYFmesfaSzmlILVb0hYm47HW49Wv0oWFbBBNf3a/
kzS6xzDrod+cRNnGrZL9YMp0gwKu0ewgsDKunte6sd71n6Gd9G1tN9n8IgKjOE7o
h4EecvEvXRgi4N1Qj2mgp4QdINKu7YSF16ZhEAYcR+OohoqYlwIcgbqxKN8Q8JPI
Extension name:
2cyb754d76
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C44AFA4B9216FBCD
http://decryptor.top/C44AFA4B9216FBCD
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s) 26 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9afde0c6e964ab81b0ae4d3cc9d5d524105a8e8536803e87aeac144920b78f3f.exe"C:\Users\Admin\AppData\Local\Temp\9afde0c6e964ab81b0ae4d3cc9d5d524105a8e8536803e87aeac144920b78f3f.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken