Analysis

  • max time kernel
    120s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30-01-2022 07:56

General

  • Target

    2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll

  • Size

    116KB

  • MD5

    fbdecce06dbb41237f8623a2e50daf59

  • SHA1

    41a8190bae6dc95c2ee1bf536367a8edf3740765

  • SHA256

    2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf

  • SHA512

    7966ca39638ddeb2d75ea1635cec515a540c18c2a56139ba7a8c5c7c81af3cb70c7b2a8123f4da4635f5171c6a31eb6a1e280152c0581a13b3655d88cfb061b1

Score
10/10

Malware Config

Extracted

Path

C:\vn00i-read-me.txt

Family

sodinokibi

Ransom Note
---=== Welcome Delco Automation Inc ===--- [+] Whats Happen? [+] Your network has been penetrated. Your files are encrypted with strong military algorithm, and currently unavailable. You can check it: all files on your system has extension vn00i. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). Also, all your business info copyed to our servers. Personal data and business contacts extracted. If you do not take action to contact us, the data will be published for free access to everyone. As soon as we receive the payment, all data will be deleted from our servers. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B2A46E5D3BC71392 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B2A46E5D3BC71392 Contact with us in chat on website. You have 3 days. If you need more time to make a decision and collect money for payment - inform the support chat about this. [+] How will the decryption process proceed after payment? [+] After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KIxp9i4+KvFcFNEHDn7Eer7nNd/7MvP6ALiKTi8jlL5PdeLZu4R4Tubf4UWPtCxd 5Poz6X1WEGYHtMSn46QbWee8rA3WAIeKAlamtgf55svj6jAPhUHbF8kBf4u0WNzb ujyhwwG/Y1tAMXfYJlZ23kcfC3Tcr37uYD8WuIEuEb6RY5VvIlMQxCzIj9IFonao 1WlEFwxWRMK150dnCyK8S1aoI5wdl4rdxLZsf7WBHLdSX7KkxQqDChHfc7PRV5ju c+ryEWscxpA9PP+K3eUfRCkMiAJ9wzwOJp4fhGUirsmWBGS1+tpnU4nW9cxpTNDC bjebs4LeUIr209lFJdzqBhPa5Uoa9yFN6RkkeJiUfx18HLcYxB2agLL4hEM+rhru IJXJFGnQwX1Pcs+RZpk4H52gWy7hrpbRk8mdV4yTowjG2DoDrpnZIQM42DiJNI3X qwYyXGxXCY4XMu/PSARX/xalXKbsdylze4rMNPkM0/PBqa5t1oprNULqdeArbhJZ 2wH8q3/2n7SOUEk1KiWKKT9FKEEcRIw2SskJez7uO91JziiCFeau4S3n/uEVLMZg /sKT54JUcgrOLYiL+67HkSE4iZRJdjWFYbo1wr02SesrBMy/g5mPZLApJNagOYWa KoBAvax6RFlF1FSlBhLpz7pbxaOdP8RJpkX4QJH2ytTuIOmXjMOWgDazZpSygzG7 rfie9lG1MganUtnG/0te1Xb5jwocGjmiiuyMtj84Ns9emENQTMGQPi73/23ZhXbl tWESQYRm3qoL6FhHNACFsFKEL90iUavTRpDrUEiGg/p6EaDuqWhFOKPaHDqfv9J7 uYAoPXDmWta/WxTIB3o1B/mPi1ddVhn37NPB2B9mQexIeFME8qzyVHkTtO3cXBhD PdEEZgJHw7JdL34/0uoQsYpyHiP62M+WSSZEDkYKUURskpugeZ9KiagG+3zj9EDc 37hbIalQFYsxALYuXPr7oi5FwhRDy6t+s4WaszdAAkdiuaEkStQMaX9AahLPZM85 dMQnJdhSXfMXJsai4ObVsX0EzcczhmQh6J9TNCE/cZJJs+WJ1tKHwV1L4LQ9Nlpp PNWgEOLPtFSq/hhVoImLqU5tCqG478upOTufiwbv0DkAPS9FtCiqVQZAUfqm0syu yAFrctOtqNN3N4k8fqFTml0jq9qV34v1I3TSDlHe4ythcOA7Kb+/fZeFN4w0QBlT zXY/ot7HLz60/V5Zlzsklpv0L4+hz+BfZMbTczevl7QeXA7513E0kC/1OFaObhLa fETfNS+e7RI0/g/Jl0d9J0gHOZiTMw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B2A46E5D3BC71392

http://decryptor.cc/B2A46E5D3BC71392

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2253f5222ebad25243cd8e3d7ac416939a7cf4f52e991ee3bd6e2f2847d28faf.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1100-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

    Filesize

    8KB