Analysis

  • max time kernel
    167s
  • max time network
    171s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 07:56

General

  • Target

    245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe

  • Size

    160KB

  • MD5

    f92ed77eb41b9e7a0ca17e09f107a9e6

  • SHA1

    24982652cead2fa9c47aeb40cb8fbdecd2ee4539

  • SHA256

    245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6

  • SHA512

    c7a1173385b3cfc9a66139d17a9e9033d49ff5163bc0fb605b5ed65f70ce0826401d49f4cdd8c1bff47cf6f0a3d5a17e1a4b8d0fc74467fd4e56de913f1d6f63

Score
10/10

Malware Config

Extracted

Path

C:\ft272-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ft272. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8FA640F790478E8F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8FA640F790478E8F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: vPcTP4KcNHNB6rKUMYKQDbjpAqzn6Zg5t4tQB3govG01RGB+Vkk6vQNy5RP/StWx u2N5CgNBRcrArFPMMskO+BvHVO41YzV2imtaLa6UxRme5EI9k9UGQPpj1FzoeAHS GXu2d4yVmrKRPW+eMYjR+forU2vkPnbNpCYKZYwZTcYU1qUxJvwHYU67WA7IO/oR OkJlL95zK/Siu+3j34g8oQ53B9Tiq4AqYcnRW55BYJYatEbPRkRrtZc7695CYes4 w95/voC0/c46xiDkxgnvOSiQtPn4Ie+bzrBxoWLnmdxJwuTrmjJZwgP2qITxZlOc HAUy2o6l/gf/5WgBCW0YCvY6wjT9XXieiqhi7SXKm4jUtv0GQF6v71aUzENwIEqN b4CkZsl7YEcJ/8yVu2rRkbYzinpRfTu7Fx0/4BnxTDuE6AmmgtikLaf7YUiv/lcd Hnv9jh0QUMIJII82ejSUeMLyJnwFNiAEEo0aJEjAzLWVPYZ6TA28ubQ5cLQ5EsAc cYPapWsI6SlqQj4iV1ShoxVDQywWN7yzoHHU7J5m0zxvHF2kIjBfybGTCTbJ5w3a y6Tbs6z7/GH3eOWLtifhgBfTMrVaKauhP/Hddh17C77DU+Tm9+VKVpzBoA9DYOia QjzWzzYnGIwvS+m1/BFkvCs4zwq9a1hrfZMu8H9M+XuZzyUZSinSaBL2bYt1helC uu366eib3jEPBVxFo0i1AGZQdBzytYwmhBR4Dl+mZ/Z9aTyPeM9MQHJs0VVZnkaU IwtBBo6yS+sdtrhAmOfAdMJLEZE4wygZvHhace1qiHtXqVskavR4sOoHuw/mAZqw Jqv4G/usLycu2Nz/WP4uO5WRnN6EtqI1bukHvLx2IZAmYcjHEDpDbuXWKWfAcdE3 j3M+5CCABkun+kas57l3GkoOWvY7UbYPOkdhQBeLbEbnVp+SS56TeN/R2W9gqEYE Jgm7HI0oELouc5AYmvS6l/Y6Qhu5vuQJz9yBHiNOxZkKFC6aCsE5GJra3h5Sojyn nEp2gEF5qmdnWOifMIg19ByhPt/Ff+NJ4NKf4TKDoHIJUAGe2ElPYn3ztnDcWtc8 zuA3u0x/wy9snktXv3sw3T4Ft352x60cd8ZHAXOJkbPIbwKV0yc= Extension name: ft272 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8FA640F790478E8F

http://decryptor.top/8FA640F790478E8F

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe
    "C:\Users\Admin\AppData\Local\Temp\245f43b7d93d48e12db0082955712b7a229127fdd37e5b162007db85c463cca6.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2312
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads