Analysis
-
max time kernel
139s -
max time network
179s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 02:07
General
-
Target
4d3fb0e2d5ba3f2eecbb2ac62a0a73581c57a2be39246d861657f21fe2d2c6e6.exe
-
Size
161KB
-
MD5
df5183e50b7ed945858a404987c40429
-
SHA1
bcec29d7497998c085cc6931df0f8874c50678d2
-
SHA256
4d3fb0e2d5ba3f2eecbb2ac62a0a73581c57a2be39246d861657f21fe2d2c6e6
-
SHA512
385e3f00d0879f60f9c85000c1b75d3be234678416442bebc4f62feaa2c590b035c7f323b311073437ab3ff69a59a5b056c43cd34665e0fe93876d6989c9e64e
Score
10/10
Malware Config
Extracted
Path
C:\3r3g82zlx-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 3r3g82zlx.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EF43E4903CBC6055
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/EF43E4903CBC6055
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
tkibTwdvTdrzHuRIoNzDTxdkFC0AiLj+6HWSvwMo/CiNCrmmQEjjywM4I+b13M9u
f3yuU4f8lxegXna+BIx7mYz9O4bWeJ17wIxK2c/16k4bxzLZ4Osg0pez+7NwfI/8
GqKwa6ZlYG7QM5lqVOf+1mnNGKSho4R351KiwaWE2zxEQaCUm1PknU+fdm0gD7zB
40xcZD3/kXFd+vSnImClv5s30syDfbECQ0OI1c3maFxbqGB8XfWOChtXg7ArHf9I
HzHTdnMgHreucfZ/zcyrn53htGbGpyDQOI7Dn0CeTyDu31Oo85zkUMJAzvQngBAT
mhiZF0XMyniIWKTsFf42SPP9P8gyzWAUPUCg7cI34jP0ojUNe6lRNtZHqhuItr49
2y60H3NthmLjSpBgtzOO8LTQOyrcMtjIPF6fpzuv0+WJocpSzNngEfLEWSeK2nK4
V7Pt9i8V5O2SvEeI/R3WPfioY46LM09nFI5G24vjwp5Y+7QS0vvLgSjX6lGFfl6l
FbfAZMcNisScPmjXXp+3mBWZ8cnd6webLk0w5H8pWSDY7aNgPVLEfW9Gu3Dj86WF
9Jkod2ZyDaw2I7kC1vixL/wt1PP3F5n7aOuvmPMg6v+ulA5LLxAevYXw3QxhT6Ue
J1qp2Gqg+++KV2UBPqDMGbugocPvGyOUXzwgJ7tHDFEGTsuOF7NgyerxT2lYp3ei
fdJMO/5s1iFBO073EJDpVibD8zhfE/T7WEQKbYifLA5X4wr9TJbak/msyUuZkcT8
UdTJlNLuRZ4AkYCkh1Qj0WR8AaRwm8xbYxh+Z8OrxPBZt2ka67cy2BiXrwiRvfPV
lZOX7SyNyzBoknPTjHJDuog6JhMNttx9gGus+3C2XvRRYK75/jAXr66o1JFVnRvc
ISw6LPfFhU4y/grSwOmLTDiLqoSVM2Wo189frw0MM4vIcBEd/pnzOxEl7ElsfORc
llwkdBNA111Wo3yg2nj1nkOPbOmEX4XxAIW0HHo6MceVt2zKm+OsPXHl4hGIAk7+
gweX4ZrI9edYday1hLzsuK9NkStrpFPcBqiV8ywXTa4cFrtemAr/IKYkDdnk0T+K
ljRuRA7PcuyEqyclmqb6hoGcwpJH98YFHPW69aXIUus7BOkyCcjk8ES9ki9uyMWB
eo6R1D4j
Extension name:
3r3g82zlx
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/EF43E4903CBC6055
http://decryptor.top/EF43E4903CBC6055
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s) 28 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 40 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d3fb0e2d5ba3f2eecbb2ac62a0a73581c57a2be39246d861657f21fe2d2c6e6.exe"C:\Users\Admin\AppData\Local\Temp\4d3fb0e2d5ba3f2eecbb2ac62a0a73581c57a2be39246d861657f21fe2d2c6e6.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/956-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB