Overview

overview

10

Static

static

10

96cf8bb1df...25.exe

windows7_x64

10

96cf8bb1df...25.exe

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    165s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96cf8bb1df1a1fa3bb88ee50610948c8318c95fcd3709fafa2763bf10148f925.exe

  • Size

    165KB

  • MD5

    e9e3f043ee293f2e2e6687c2fdb66740

  • SHA1

    93b2fae615741cdd658c3dd701bb53f321284563

  • SHA256

    96cf8bb1df1a1fa3bb88ee50610948c8318c95fcd3709fafa2763bf10148f925

  • SHA512

    64fc206e87c5f4ecb9bb21de3e757eeaecf53fd8958104779c2a8f4bb1960d9af5f48f55f157fd05f38f87f051d51cf3e0388b767c01cb96b666689e7f2eabad

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\How to decrypt 9u0830-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 9u0830. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D042C8E40E847951 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/D042C8E40E847951 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WbTjkEWO2tbQ/Sm5960Vkx5V+WzJOEv19jlmBGag/ErQ5xglR5Et6jTwZ9rpmKlr afzcXsaL1qidhRNH2x11KGPD8J5N9ou8nI08OZBGLzc9zrhPGVe/9XAUuw+sr9Dg MALzcdsIzjSNDUOomGNwq3Y4L4qTPSKffVFUqv3XIc8DAae2hiluq+sE2q7dWtxL ztdNPBhNhOd3wZFva2Bko3sJ+K0ypJi0Ui9FwQqw9+4yeSWt2JQhP5QI7rq0LAm2 s4D6q3Oqk+Dn40b6eTEdepdjOKg50Mmtnu5g3cSHQ3Pv2rdk6GCOE27xm/pjmSIp Rsfvlkuoa/78yWREUuw9Sgpg+bwYqxc/hR4vOE80KCKOPYF5Ifx6Gis6fVdM18lx lua6RzMto2TG3fY3BgHIWljBt9GaiMO2bklZ5VDsi0HCzgpguezNNrbgRZ0CtuBc AtMjoIpSkquIw2wOMy5oV1QyQjbTr+AQRCNCrcWX7/welvdOdM78yhZZyHXBEdij U6DRsGI0CU8nnDl25tUVDuRiNPTP7A1Q4ELp/U/sNtOQkaCcVKbcfg886NOiFomd x5B5kBWzrBPCa+19keb9lH1+w8rhmmPgh0cFYV86+/tksBBS7qGlwip5wkTdcslG 2rliqtsZSBNc1U6HkX2oDTVq5st6KA6o+x7HM9oUtICWXjOOvbEsWGnZiZ30tNbU nsYlu1jhEgP2+m5ARt9xoYVYvwOI0xgrpCuc1uvDHMHSfzkxH/sB1BsQA6qiwZpo HAVyVK3EGXLKKexV+/DIUwc3nRlHzWbLEz1HIpXx5MKipvNwEaihyqztgNy2gmSm AnDHSrffjX2Fk4RDEFWBwTfrLmZrsqHIHKRwl03Fx1mEIES2xqDE331Crup3TQQq DmcYLmRcyjuLJ+0NOqvF5KxmrM4G6KDL9uJFLvxxJWfzqREPtVQBg/utJGEnMa3H uFLPpKDlKx8DLTceUvlUhFKPUe5aCKNNPcGpA2mKniNi8ustlb/y1licej40b8qY 5DpNljhR+8+y6hPJYBJv+kVw8pfGsffh3ahgK1L0fns8JoI8l41gzTCsf7p8Ge8u iddYUNlDc6Jx2tZU4+xPZ4BnL6omTkZ0HJvwyigIlbpWkJFwi2Zt77wmRPI= Extension name: 9u0830 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D042C8E40E847951

http://decryptor.cc/D042C8E40E847951

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 27 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96cf8bb1df1a1fa3bb88ee50610948c8318c95fcd3709fafa2763bf10148f925.exe
    "C:\Users\Admin\AppData\Local\Temp\96cf8bb1df1a1fa3bb88ee50610948c8318c95fcd3709fafa2763bf10148f925.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3772
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3580
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1464

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3772-122-0x00000229D11C0000-0x00000229D11E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3772-125-0x00000229D11B0000-0x00000229D11B2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3772-126-0x00000229D11B3000-0x00000229D11B5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3772-127-0x00000229E93C0000-0x00000229E9436000-memory.dmp
      Filesize

      472KB

      Download