Overview

overview

10

Static

static

10

448931d68d...ab.exe

windows7_x64

10

448931d68d...ab.exe

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    448931d68d6614de83899a8f15f504af8f65f3a9543c74dcb8601fca7c6dffab.exe

  • Size

    179KB

  • MD5

    a4f599b558815938a9eabaca693b0021

  • SHA1

    4a0ef962e3b2b01eb07177a2778d0cd7c9352989

  • SHA256

    448931d68d6614de83899a8f15f504af8f65f3a9543c74dcb8601fca7c6dffab

  • SHA512

    685ee2b6898432ed1c6429e680b8c34f578558ad42f08f0e07ffdf30d5de56a38d511245c9eb19d7a548d97ab64abcbf384e62a94433a205161bec3be0b48564

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\vuxv3w7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion vuxv3w7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5EB17685BFA0D5D1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/5EB17685BFA0D5D1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6uQK/ecglXonL2Ho1LvAlhcoE2ksjPgYtXSZGmXODoMIbBQJAiGYxDfwcYs1eScU bQFRWoNz1tZkdggBECuEh50wHAbHcBZ1TJqoS4u7/FSWVb/CTE5vBN2j7o8QQWQ1 lAcsYJNU5moP1UnGcb6OWfyNT6hJdLUaqK7bFgMAM9VV7oPXrLDSMJLcNfrDkO3E O9j+QZriXbHhenbbChUviIY1gdFZqQtVOEoFLBwr7b49YHfxXPrF+lrzc8q1jn4x vAePlqHo2VWzIbX/GqKgP6kd0MiBTVecSJaALu0yIkgkElbNn5C8FCScaNVdpxGD vvwpnukoEwQqf7UWDELD082uxt/6GFeJk0HPRxyycYQrOYoE7c7L8aAtCrPUjaCB 4xrpZCnK4TScc63qB5bT8w17kvV0HyaLrltvYCEvJXgeeiHw9akN6hSkVOPlbkt3 mRwE4vC6Y7eeC542yR5YAvtRIvUCFKulxB1qgihxOaZmrsH+k3oNzl1z7UWT5Mne /9aE//qEEu6Lp9BtZUxGLOgM66G7HvcBWt6i1EMKhJxkNmyiYNpkpJ6xDCJlqWzv zMl6jG0BV9MX3B2Dz3mdGpV0+5HCURdUoNcvTjd63zYx09WJHRC/97NeLrFndNd8 X8a0ZaoB+2hKu4pj6TD5rIJqHX5iekCda1rYDHc6uKLHrLwP9wQYqNJRrfMFjl2q Fd38wdcz0QYHS+FCEmxbl4nqbthhQrqp3+A5Plu84xVQ2JfY5URnpJhsIb1HRjr8 h92gcxxpwm/9D6xcUdJf+iKJSIRJX/IEOcve8JFZxkSHrs++6rxRu6PD2XFCvWrX VpHCPzSbulykaFs9ArfQpO5z8MRyqOCkEshTJWOCtkMl0Qb/dmYj500jPApu+SHD Ypmn11HxW4TZW02BW0BUriaB3MEVNz5D0sEYB9hWUMfPBwCry7XwJIdOrSg4cxQq ugm+Z6dWFCEugTDC7WL+ASHc4I2xBRZBtwtlys8kxrJLjidhGbySN8RfSt0fr60h +HmjFQegbN8ziFRXle9cGFDbeMsOL/qNA+WoVkdlRxGNoqjZZYknDZgYhoEjEHd2 eFLbJdviHcWU/G7qKwd1FYXX0nYChS4tJGd/vN4y5XDfyKiw7kIAtcGT7WVN6b1l 01I= Extension name: vuxv3w7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/5EB17685BFA0D5D1

http://decryptor.top/5EB17685BFA0D5D1

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\448931d68d6614de83899a8f15f504af8f65f3a9543c74dcb8601fca7c6dffab.exe
    "C:\Users\Admin\AppData\Local\Temp\448931d68d6614de83899a8f15f504af8f65f3a9543c74dcb8601fca7c6dffab.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:308
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:548
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1900

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1896-54-0x0000000076C61000-0x0000000076C63000-memory.dmp
      Filesize

      8KB

      Download