Overview

overview

10

Static

static

10

6cff57ed23...fd.exe

windows7_x64

10

6cff57ed23...fd.exe

windows10_x64

10

Analysis

  • max time kernel
    168s
  • max time network
    184s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd.exe

  • Size

    115KB

  • MD5

    da50c8e2aeeecc39e8ae49cef8271733

  • SHA1

    768d0597775446938114e0b5f1ad74b7c51b2a5b

  • SHA256

    6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd

  • SHA512

    adf77baf9095cd1be5a9a2639978e9b1150485d08c09d8146645930528e552bb1329467cc4e70901c17faee0b734b849d5ef83feb0da760ef7d636d75e1c4786

Score
10/10
sodinokibipersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\6u028f6-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 6u028f6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C33A1DF3229395B9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/C33A1DF3229395B9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: TDqXwcZT4VwKYTm2PYJxw5z3Y2dZAGW8awA44bR5v7Zix8YeyVlzA36OqD046UBW Allaf9nL1avGFNPnejr1t/U8hep80QVzsQWyJbyGX2oF132bCHDY0g30Yazw8CWJ 5qdGiET9LfzQcDDRATp+VmM0Zp+FcqJdQ1y3gLssdj60DaA2BA7NO13k5enFfMKD YTvU2s1eJeNNeDXPTNMkgd5xVVeXpsq/uJxqqN3Afw6sNsXwM9QtlRpXyjqartWn iJyRSnyMZ54fXrNaxNKMa1BGlRfuyR9FfUwUJh2Lh+tktMpBnsyYY4Lnj5KUVEeR 0D3C18AAScM1SK9exnn4HEELRYTUGbU7L4A6ZvdI5PVU2FIxEfk9hQO2lk5vrsMw 8/wwfQhCPvncNH5BYqQquH96At2mpRW/wbPwBqt2GbMy6trI2ULJL5GOcDfRzFZ0 i3tFdALLiRXv8tBrWVy00+ECMPWhMMYTeCvFr3GyqndH0QEcIPydmqN7ICl1R9PB KDmAHKlHfaehyAAZlvA2sYZNsRjBgG/myeOzTKQP1ATq7rzeDWY+g1P4baYci1a/ QxU6JVEHtKG8jTSMKWFy7IeWOqpSyFxs/t4qcjIQMF3ySFVdWykyx+7D9ldELJlW SVQ7CtIXDZkdJODGKCWlvX9kPi5sJr6cLz+xvOOvaupIJJokquk/bJ/5AuE4g53h uClSXHGov2FdBbP1+jBOdP0ji6YW7RMQOdZAvXbCJ+/aByxN/sxZed0dYHi/mliH 5Ea4L03IXa6HnHi+y4h6+k/acx1lOj7Bj/BOK2PNEbcRGgIWPOHRzxtMtZYcuvGi 8IVmwdtdvCTTpO7mGBmvan0VqlxvpjRNo/6JA1UBorM4pgvsi7FoJw0rvRRuNkEG 6sdKOWgsywgTdPrseSxpA/JJuDYApxo472Nbh/FxeTm8N8E3o+JZgMtsZ4PmsIT/ w6/zMSsqdNcSo8JQiu8V/euztS6/LTYZrMUuubGHJGIpxdGKR8PelBmWN/9g+R/g HkxMhpf7WdMjAR1RPNKvASgYzON7wAozRAIqAXVH8kiUGoyA5WpktNDVHdy0dM6X V6JNa2Hm3opBrOC/yv5nw7HFQi4AOUy24nqMhtFpdmC5sHG8BUKLUXdZSTvCpV62 158xnZ8BHYmRVTnMYBbCJwb8SSidjbnHIQGkFMZamoHNcJ7YSt7nqQHDRrbJtF3L AwvcZEYCIdBzU7rt95Tc4NuVKcEx+P1dJgG/Fck4qMlpHhWNy+jjPbs7myBAXsDI FrXbSOEirXQ3hy2iKzmP2v83 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C33A1DF3229395B9

http://decryptor.cc/C33A1DF3229395B9

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd.exe
    "C:\Users\Admin\AppData\Local\Temp\6cff57ed233dd9083464ccc23c0a59df300c8a0aece0d3651e5c9e7984c937fd.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1444
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3064 -s 5528
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3740
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:524
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 524 -s 7216
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3388
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    PID:2128
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3600
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.6u028f6
    MD5

    4ef6e17cdc5804174308116296c864b5

    SHA1

    ddcdc530e5a4b16871a54393dda8a21599c0101d

    SHA256

    6b20064acfb26887ecf0cc9d48964e29992fa3f737d2c028d05cc33c904b9b93

    SHA512

    b2016c27ed381fb0d6a3eb1409354f507179d678c4851391f6f26cdb3317a051a6f73003d592df8ade5432e3902081d139bb70ad0143a41e7088c9c3db032724

    Download Submit
  • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.6u028f6
    MD5

    a509735102c5ee15bebb53c8a933e425

    SHA1

    63b5f0250c5156c89e793d369b70d47441a7cb77

    SHA256

    2d22a96c9ea3b8244f1103349e66da4e3056a790a2b3811f467ac2c7068c78f2

    SHA512

    badbd2e7e319e13c0a17e7bb66e381e53bfa7d15602e62434258dd413d34f979389d980f8eacc9880645b86c7b515a4206939905439fac32103d169c8ae93a68

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001f.db.6u028f6
    MD5

    cd696904a116f03607ab8fbe2125d64b

    SHA1

    198f4e3e502ec0f8e1b4e21480ef70928b3a06dd

    SHA256

    3d86c71775a8ec1a89c4d850abb0914be07b8d5534ae650acee497444a8ee49a

    SHA512

    e238e6bfa140ce48259e144bb8bef49bc09fe4a2a6d95fbd6e7be4600fe98e0fa1631f135d2d58bb2eb290f58d02f0152f95124dd83cddb1f0dc39a13d3a4e31

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000020.db.6u028f6
    MD5

    f3ed4c94fb2d5c37c1fc5feffdb8f109

    SHA1

    d98a0ac3e6c94193ad0d02bb900e625c00da2602

    SHA256

    a766f50c75a0bfae1484c9ebae2ac00434b2253187429dc0024294bd28b45937

    SHA512

    3ff555c348f42c450703e2672765f28d36dba51bf87ae80f3698f5a77fdbafc7b3e1686261b8b3ef6f53a3e8c306a998226c602775e53e4307fc1c0cc879cb22

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000021.db.6u028f6
    MD5

    adc7f649464abc95bda1b5a66e88bdc2

    SHA1

    2c309262fb37a68d5246fbc8c3c82894f8fb6a31

    SHA256

    3329db06c6b900e8383e263b378bfeb546a1568e1793f7343e8fbf2158302c0d

    SHA512

    99ddd09b39da600d78f0a6c79bbcb04452d31d1835d34b5e2628ea8e421b4f23d4eab272bff8d1b824d81d2b83d7d5da24f72b8ae17d03daa611bad4191e1ce2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\g73w.bmp
    MD5

    faeb816ab10f5aadf0d67055832491af

    SHA1

    d578cb48d978760ad3a8b78423a9609ccf6e0609

    SHA256

    089159ea37d6cc854d3e8c387bbf2685d21a20fa1f0dd43b011994adf330bca4

    SHA512

    e726c0561b492f0d40126625c2d9b51d5a21ac757d22df57169557d0d1f78f700ea813addc36625f9e38f9ead653f1df3d3386fbcda651e45dfa5d04d7a34f3a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\6u028f6-readme.txt
    MD5

    04cd9c862f92dc69f174854f02aa87c2

    SHA1

    375105f19597399c31ca050949895920b1fb8a18

    SHA256

    e2bf9bd71c4a4a7c8a8553b89dad7b4b385534ae27d3750766f12b59b324e3e4

    SHA512

    91eb8c6a8e663f75bb61e857da4fad6e57421f9529844cd9f14fa652f13f31f804f095cdf8949a2b6302ed1635271b2427996feeca7d6a3ec6e7492e94f3bd2d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.6u028f6
    MD5

    28d7e4844070974bf2e446b7d36920b6

    SHA1

    34c2aed7c96a4651229f3680e60f76cde0f94086

    SHA256

    926672b009331b83baa84fc5d5f458ec5897bfb746e0dbe27af266b52f6d8350

    SHA512

    c0d2c17ef727ab7def107ded73f09a42477e20fb30fcc23e24d5781278dcc7b3ab184ff8e498d0700b029932f7c22b89d4451a2838149b67c631bad2ac6a5dd3

    Download Submit
  • \??\c:\users\admin\appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy\ac\microsoft\internet explorer\domstore\p411qd74\microsoft.windows[1].xml
    MD5

    acef63c004f13d6897653d8924eb524f

    SHA1

    e52cebc34663566eae7ced0c5b9ecdac1606c5fc

    SHA256

    504b7c05b93c0302d5ce0ad78bd37c6faf5210f8ccefcbe92cb2349168cbe4da

    SHA512

    8ec15e11a43357f90186f264bd1e439caffee1a6a2e961b35ae37c6e166cfed4f3d1a8fbc303f7439cf3c52b572db139780f7aebb813f8cd86717db9affc1e60

    Download Submit
  • memory/524-336-0x0000000002600000-0x0000000002601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3372-549-0x0000000003670000-0x0000000003671000-memory.dmp
    Filesize

    4KB

    Download