Overview

overview

10

Static

static

10

68d86762f0...21.exe

windows7_x64

10

68d86762f0...21.exe

windows10_x64

10

Analysis

  • max time kernel
    176s
  • max time network
    174s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68d86762f004d1cfcbe2433b73036ccab0455117a2e04f66721ddefd4de39b21.exe

  • Size

    179KB

  • MD5

    956274df4e08be7860ebb9fbf4a75930

  • SHA1

    d28417b371ded8b26e8f29b27c02515fb6154224

  • SHA256

    68d86762f004d1cfcbe2433b73036ccab0455117a2e04f66721ddefd4de39b21

  • SHA512

    569a10c6e18b122e9e00768fe4443b1dbcc49e447bfbf239d5583cc6b3c862397fc75be8a2175e293ee05976899fff124b93d0c00adbd2d4530400b4ca585793

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\cjghpt3jv-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion cjghpt3jv. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0D1EB62813A842D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D0D1EB62813A842D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Ez5mG48U/K2+s+zI+fUOhtf3DVvtywYozBc0F2CodpHlP0iTHVdeeeTS+3ayslpr 0iM19V2B6Oekhoje6FBEysYo+c3OOTyBWD9Vq4qttwwNo71lyfJRZIipXs3XplM9 Q63Oi7osNblZWXPNi0fWPirMuzfAIhLlbJREsnkHb7chmaM7Xn6NxDAWOmPXDjhP lzUu+iEP7tshvZolouUP+GmwTQ5sF+ou/lhGiOOFrF6xQpLkeU+KmRyNzbG9BKAy e+cKDg8RZr43kvYr4eGE/J9TPX9cQ0T2HFVet8k8uKlpEVn5NG+ECqmZDVf4mN/p IlLiNTX8isvlKAiGW9tbATPPGwukaagPO6y8T7SemVCgQH3/uCrr5u0uCAs09yvj X0qD4Ip4NUQ2+7LEYQ/VBnzgBkXtqkxlNqh86SAAZdGVW8SHhZyHCYTC2W+47iSF C5pH6+I2qP0EvLfSJSG9nZDvXGt9XeDYNr2EVfhnDuxDwsxz5KHcUitUBIoUESGe uqxzpNbho4M+zcsQMP1vsEXSc2PV1QE1IROXYrqbQxPT+SEHAZ7XGGeL1e1DN6Si rbDt2D8Bto8SbTkPthbNhE0o2hPp8RImxvGIMJsyRWpQ5yKBfHYl4Fotrwvlp79G z1yZ/formOnTlghFYV9h9X/6wPPJunJtVD5DKyrLm8+qz1TL2IEYFRXrF7P04yUf RLVOc1tT+X/5cy8e1oz/2QL7qVk8k0oDgEgv5TCtZ42FHtVseESi3Vdcvi2Te9gI LGMmUzZK9Tg8OUhOgeJyNPce39XWJyHYvzUSSQWJXpT/8ndn+jANfkIQyjpTQgIx dpWuAf69VVa2lnSlS8QxMrpwb3KY634d5STJf2wvERCWUyb/uboLvucOzPRSwf23 mJSR8ptKfcuo5KCdX4tfFXV/hqEAhbJucCfh+ewFe374excw69UadHJXZ0qfaeNk K7yA9Q3KV6YyaJ50E8psoee+ene0SkdsGhMiY0b1MZwYuDMuWhRFH7rTZory3T/s XjoZGTblZzOnuNKizS7EpKXsuf536vgu3wRcOesvJ8dh1hFALNJ3oZipQMpTS5Tv EOfeouYOKSXm9c4dbgqcXhjxkjY0OjIfmn6HXx69Scyhh3tfwpMEAfJDhVOjuBlU Extension name: cjghpt3jv ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D0D1EB62813A842D

http://decryptor.top/D0D1EB62813A842D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 12 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68d86762f004d1cfcbe2433b73036ccab0455117a2e04f66721ddefd4de39b21.exe
    "C:\Users\Admin\AppData\Local\Temp\68d86762f004d1cfcbe2433b73036ccab0455117a2e04f66721ddefd4de39b21.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:68
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4092
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1500

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/68-127-0x0000021123BB0000-0x0000021123BD2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/68-131-0x0000021123B73000-0x0000021123B75000-memory.dmp
      Filesize

      8KB

      Download
    • memory/68-130-0x0000021123B70000-0x0000021123B72000-memory.dmp
      Filesize

      8KB

      Download
    • memory/68-132-0x0000021123F60000-0x0000021123FD6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3192-118-0x00000000007E0000-0x00000000007EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3192-119-0x00000000007F0000-0x00000000007F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3192-120-0x0000000000A00000-0x0000000000A01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3192-121-0x0000000002520000-0x0000000002543000-memory.dmp
      Filesize

      140KB

      Download
    • memory/3192-122-0x0000000002520000-0x0000000002543000-memory.dmp
      Filesize

      140KB

      Download