Analysis
-
max time kernel
142s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 02:36
General
-
Target
04f710f755af9ab14ba24c723f972706fc585c7a949cc5e275b5ae89104771ac.exe
-
Size
179KB
-
MD5
4c5c1731481ea8d67ef6076810c49e00
-
SHA1
bb192bde0428a2d012932eb62a427f42229b2ac5
-
SHA256
04f710f755af9ab14ba24c723f972706fc585c7a949cc5e275b5ae89104771ac
-
SHA512
7e11eb5c6943d96650db515d7fba6e5ab69b39a9b846c1bb71846ddf6407eb4d2b372ca232f6e85f36a81014ccaeed606a1f78f2883762187ba37495617540ee
Score
10/10
Malware Config
Extracted
Path
C:\1z25761jx0-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 1z25761jx0.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/63163055DE91DB8E
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/63163055DE91DB8E
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
APR7Fe3q3XJ2wSVC+87vHoHsXxE7hs9qRRZJ5iuxRn3n2Z9mhwNRJYknWusJSiCO
X9w9fFMClIo5mgS4ni7XBFACmn7TgTo3Gghz1WbptUhUqyJCbLXQ11y9bmVNXRnB
S/KaF6U/FueNH2aanAYepbb2wHGTAtQsAP79lFQNkAocXFOLrbs4CVS+yEf5IJmJ
y84r93nPOscUf41nAX5NHaEvH3qOlnWUJvx9jaMKVcO6NtbbrCSRFLpqpz7QtECd
b0FH/hX4zvWHOPMZP844PN4Dw/izgKiTgZF0HnBsCEDICWd7Yv7YnvEVPwajgDd6
ACHJvQGUL475QnNfkPQTnN2yHo+VIlEjKMMdq8HNB0Ed3rI8wqWYQD8eQRntPvKE
XkEQXDr7NsM9kCs3BLjbXbGA0zSScHwvXcnzHf+gTuNbWbhkfdyQeuReMfM9rfSN
hRTG6Uth4RHbfgjUfgYmJZqSxwxgFzxY+duXqGwNrsEjvr1KRC4NY73KNmAVEFTy
DaDloTgF7w/ymknR4lfj7LuVjfh1NsMBozDGwfYPMXejY9acBGYvA8AFJG48kMmC
MLzT34DuRg029Vj0s0zkuluCC32BZCWAWPlE0kKzXxtfNZHRZlbEk2mwn1Or9SlO
KEdfV5V3SLexKVsxlGcs0bMKEho/CJs4X7km0rF6tvOGGqbNBvyWEnhytFoaBMHf
N2Cc0vl1TUVxUIEBcIW8GoZ9deMAqMzI14DtghN0qABZJZ+p8TDOFAY8rEvLOjNw
iUelntoGZ9BuX4+SV2Swj4eLpyStpu5eUXlt6h4xOY1gTJZn/84fp9KETN/ne42I
Aq3VKmC9645E6sO2jUNEaLAJMiU3XmBBzBnxbHB1+ILDAC7RYBaAJe0EW/KFzI5x
hczRcUwmYPtBPhM+kwd/E6ZHFKGtC8YLMCnKVFHSAWCe5HctVVQlY9il3YPzIYlb
uIFJUgtNBoDA258LcZlrEgouoEcLgBeDK9IBKaO8j0xrQ9wFWGMJIuXoiQcN1UVT
rKp/Jl3MAHRUFGHjesPokgwdIExIPDrn/FTuOzJmbt+87uhYVLezlq99fNvpBsys
aKdm0SDa/tGAwzemN1HwQ4GoD8HPu1x2+n9fMBdJzURmyQxyOt6eyl3ctAskqmqI
Extension name:
1z25761jx0
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/63163055DE91DB8E
http://decryptor.top/63163055DE91DB8E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 30 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f710f755af9ab14ba24c723f972706fc585c7a949cc5e275b5ae89104771ac.exe"C:\Users\Admin\AppData\Local\Temp\04f710f755af9ab14ba24c723f972706fc585c7a949cc5e275b5ae89104771ac.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken