Analysis

  • max time kernel
    141s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30-01-2022 07:56

General

  • Target

    245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe

  • Size

    160KB

  • MD5

    f92ed77eb41b9e7a0ca17e09f107a9e6

  • SHA1

    24982652cead2fa9c47aeb40cb8fbdecd2ee4539

  • SHA256

    245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6

  • SHA512

    c7a1173385b3cfc9a66139d17a9e9033d49ff5163bc0fb605b5ed65f70ce0826401d49f4cdd8c1bff47cf6f0a3d5a17e1a4b8d0fc74467fd4e56de913f1d6f63

Score
10/10

Malware Config

Extracted

Path

C:\ysc1r6lz6c-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ysc1r6lz6c. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/18BECE6991CC4723 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/18BECE6991CC4723 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: mOrfwUiEtO/WgQ5NINeIJ78dKJoJzzSr3JrH4loH3hycnBgllR+s3bGSVwV6qb20 tgTjbpE+hKcCVTYFWQlpnTeoC0IQlgl3k+n9VppQJFQgL/BmzuqPkRi3D47fMZG0 BE7Kh29JU+rnDNsYF5ymnfskdCDeTvOEN0Ure3tM4XRY/glVblrpK3THl7MlAKbD 0fnngHTcpN9eFGZwJoXcgpcSwBOql900eWjGkG3zY5EM2WbfOJKeAY1PDrwwjTSE aLOZoSFCHSguNMRS7Ea0IAli/IFC9bL1pftSHJcbpoPPEZ47YBRlUIeyR1CHmBfq fZmZFzl3r4FJy2TSSzwFpf7kJOS2Oq1pRZVBhA2IYwjkj3kythDJLIgTTPMVr6Kb 5yTdHqxIPV8TP6KlkzQO5RW/AsCnvwh1ZS5X6jTjypbEFroUjIri+Wgjl6HNd0f1 yQTD3w/fSfJILr5ij7GsLctic70F1LDjY/my49ZGuhHR9uwUrvs8Q+lY5GIhhEfj jfUkmDbTmz2qiOmQEheJ+DqO/kiVZ8qoExvFvSws0BU5L1gZ22HA387eFIcUC9Ur DItxWuJRHBCEmt+9Reftet/j8vQR1I88wgzichelT7tR5ABoU9IXkYs3goos1n0c u1efOGCJ7nWV3piYSzgeDGAMXt9ruoyBmjp/fiSpPKk/QT9GJ12wb8Jn3ElLZuFv 5d8DijpvTYWPyvRbHcZCNHZ71Zykd79VkAMrdkYWFAVWy0oTVMscJvN3cbFxfjxY zUbrmPxt3c1oOYSkPzU8qGI0m15KkQfdmztdubT67X/lOceDGwsic909o7nKYZKM nxv/KZabwPkOnMDivVL3D5MilIQKXkKFEXCh4Fu0MbswMhonEwxaILQ2jdLV8PWu NwRngt77HJhpyCkyvKgjpPuNuW61PmABNlfbXtlfvcRjirHj+r46SnvI1bTe2O4J CyXnGmY29y6vtEXqc9Lgq98PsgRIjWGvbfjKXv9h52bI3MDKsMVaRnibiRLcZ7Qo EnSvPdi5ludzwdbU1MwIoiDeSO0FR2h/T58yU83x1TjuY46lRq7yOX6eekqtTA1V 2Bpm0N0DtZpQmcX7j0IWb3MzopPGOaT31xLtoGMi+PyRrWkDalJI25CMJWBKrOH6 eWD6GHvxBLE= Extension name: ysc1r6lz6c ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/18BECE6991CC4723

http://decryptor.top/18BECE6991CC4723

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe
    "C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:384
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1272

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/528-54-0x0000000076121000-0x0000000076123000-memory.dmp

    Filesize

    8KB