Overview

overview

10

Static

static

10

96a7ff0cff...48.exe

windows7_x64

10

96a7ff0cff...48.exe

windows10_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96a7ff0cff1bab41392844816d1277a9946fd1941ce160b8335321aed328d248.exe

  • Size

    115KB

  • MD5

    eac91fd727e02264e06be76d23d7b1d8

  • SHA1

    0e1b850017812402b82c9c403e145a697a9d1462

  • SHA256

    96a7ff0cff1bab41392844816d1277a9946fd1941ce160b8335321aed328d248

  • SHA512

    9942ed7c74fee157cb7cd87ff503374b26fb6c619c77a1c1d4e3b3b8facaee05975e03ef621816a86ee527aa727b8d56802d5d61460a02d12755991df5465ff9

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\37204vx-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 37204vx. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E2E95C50E81A90DF 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/E2E95C50E81A90DF Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: c79r1hySElz6NeHjMXhgowT5AECHI3cpmtHMni3g6iH9Mb8KyOZzMWD8Jbjqk5q8 TsilSC5zqUVqFYMjwhtjZIY2oSL4LzxylWxd+9GHe/epfB6F1GAF+5OjmbJq06Jz A4qBdbnyfLWOV70JMDbjWp2rM0MaYEZnGrL5Brbm5J+hSNDV6OjD9XyG1SHaPuGX UShXAoTjfZ6LE8IULYg8IekEontg3b6eNFk2NqOiyv6vTGghnoobLHKJqk6h54wS 5WFVZe0jixM2wHknRrsGqUHVmPpkh/incDmnI2jTrObzO0sIwnWpcp/wU1HDYhqo hNA316czOZzYv8lewSAMmHwuU5SO0VJV8YGwIeqnYbeMzXXb6+yg/wZhw+x49acm 32ZrdtVzAP06Vozn38AvUTPwkRqX3pErl4uNy+EBPbl6K0+aavwOow0ypTB2cehq nZkMvqYKNKtUIpn81KaYwFvMNFTBb9KuS3Mg7ouFWBJrATqItymkrnjol75gcgUC 9rPr2qUfcfGU8GKVAopCrXB60h9IUh4SX8y7vYHNSx3BKV7n3MpExuasI/wr6rsK 3TAOFih6jkxDDREnIoxOMrfOrEObatowYKyJThQ+j2o59hf+w2JZ7tRDeEFcbhGY 46ttPdMksl90ojG464im8zBSGOCV8NK3JMvPjTYjSaTvLdch5pvoKEhTWawlN3Qp raeZb1mujS5I4ObxVwIhRcpmQ5pxxzAZdX6z2NscLUPPDFs4E+HwHEdymDM1PsQA sPPgM/I70P38m7n0m+lpSmAftwwz8ZSHa+zQvXnUHGUYX56KnohVlQpjRcObjld4 mpVzxjG+Lsxe5FZfxw5n5NeuoZR/nggOa0JloQstvz0tuG9vMw5yHU7BSkD1SV/P PeACIe/89FCvWM10Ag9vqQpwwW02XxO1GbfM1Vnz7M+Y2kxZXzbHiwC4vCy5KWy/ zy2zzQ/oZ3t51tO4sHM8x/+u4oPUVvPoLTx1KKPcKtEssgKVqtlp4/mH15eOmLN3 e3ExuYT1vTNjLBnLS/9aHbM4V6vILI6aHEpIAQ6LFAS+Ys9eNKfGN3pUsQ5HgFps utclX1jjlnKYzY8+713nh5eJLGY0FYL84IeG8NEhhI2KYX7UiLuE9eWLgsGg1Bee XUN1rse7aY0e2FpI4OELe+3Kq1zRbJlINZXg66eScFOv4w55lHHYDtbVbERitBvK Yuc1LzmjOSE0H7gUvGZsFlEOCJv2HMZtB6kKnWjXSrzXpCmyLn7xuRuGQ257if21 WOApq9td7QndmbhRfyxvNQ== Extension name: 37204vx ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/E2E95C50E81A90DF

http://decryptor.cc/E2E95C50E81A90DF

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96a7ff0cff1bab41392844816d1277a9946fd1941ce160b8335321aed328d248.exe
    "C:\Users\Admin\AppData\Local\Temp\96a7ff0cff1bab41392844816d1277a9946fd1941ce160b8335321aed328d248.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3056
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3044 -s 2288
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3644
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.37204vx
    MD5

    e4b00dac77fbf4bbbf200c73a107d5a8

    SHA1

    1a98b2913556fe438c9391d0294573a86a3b0eeb

    SHA256

    df95c5703f68ac3e938c7aba50b3e723e09fb39f7e04aa629fce0be9697451d5

    SHA512

    e7b3ed9b38dea605f14dfa6b1cb4af33afae5fbc72ea97c2aa1e575c9c0bcee3215fbfba9b7783a15fe46fe53e0ea06c0ee4726e26f2ec1792a9ce8f6d94f770

    Download Submit
  • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.37204vx
    MD5

    9dc0cb2180f0711dbc060085f2c34c30

    SHA1

    6dd98b32ce545efa880cb2a7d037998fc8e64618

    SHA256

    25747a5d82a3a23f8d92ac92a6bacd6606f8c65f878ac8c64b9c0bfc78c64f25

    SHA512

    6d183ada9335f842f6b8909aabe9a1a786f7cbc8e7e5fef6ace6bdfd7c96aa01eacd01209a58df498abb92ae8755b7bff11a3fd855e90d8bf85792c5ef897fdc

    Download Submit