Analysis
-
max time kernel
168s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:57
General
-
Target
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe
-
Size
157KB
-
MD5
d8c7d853d3af593805d5be7a06aa44eb
-
SHA1
2fb9eb11bb466142a0d3a0985495dfe1194339cc
-
SHA256
2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5
-
SHA512
2e8dfec998de140b670e6342df6d630c9208a529664674323fd538545b1649fbb4aacabe654e3f007e6974b1e1b7dcfe90fd1c8bfa2e7f7473c19ef60d8cc321
Score
10/10
Malware Config
Extracted
Path
C:\odt\ta3u64-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ta3u64.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FFF21A5B1AC5778E
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decryptor.top/FFF21A5B1AC5778E
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
2ntBD9C9id4bg7I54knFXX0gnJ2yKZ13Qb34eqoG7nBDwDhLRB9hGQvpmABISS8M
5AQxdlQ5Vrk22Qxv1Rdz7GajmkEvEltU253Hb3OqdPswRhHO6+SEQSs5xmVLtGwU
CGeWsAf7hol7JoB0XXTIcEeuHMLOXn1JUhunW3341IgFvcBDDydPGCL+WhmBaAes
6mi8MxIzLuuAVT4Ad95uPCVQajMDGPi5jfp1XkVixX40nt4BwbsDEKB0SGJP396e
n30V9eHK4RSFZnJUmN7UIFQnjduYU7cXDK8Og55aCWZrJXJbq/71aBHytKhxjSqJ
YbFv5bYVMSQbl078SkMnW6mQ4y7cS3ruXORjYCBQvb+RjsXIkoNHTzHKXhMi4ctA
8tXW8ZfkKhVomL8CdVn8RG30e9zQe1nTc3shLiop8ayE29W74C1HCsCcnk7Xf4kv
8R4spDKlvX6R78ejgO3dXvj7hEs87TYC1zuYF7RiBO7tvWhmW5fcV+kaS5jFtNX0
XyeMZbHUEFp2xofZTRPUqyUKHP8/V5ELCFdaoXiI7ZLujko95lcRHUjUAuQLbBbl
l2vMqb3rJNFt2qu2vN0BUhJ9Nt8a3p8lXuQUb1sg1T1r2h64MPP5dEUeKQKYC9M7
sC2bHu7H/JznbrQeygj2WyNMWIc8wx3owulSN1jwtJV4tiEso08L2JgB02lC3x4H
elMqX0IbZlRXSYIJO147MsC4SmV2Z+rzsDJDfjSm7vrnBOohMeOGHOl66mDsubSs
DNxiMW82XJWhxcR5GAbFmJIN70iAIlgD44qD93fi3z7ERqFaMbr5Ux6hAZjkSKcU
ozJt4cE4uA7hS2eFdXo4wy/DTk2fFAzF8i8BNn9DjvIZtAMOai10YUT+S0gh3h0B
cKOtiuYmTj98kjWZn4/lCWJ+mC/K00Qy1pBjCPYwQScxTynq+M5ENi+8OWKfDxJU
Vm/2+uihphFwOa3Iu2w0ILHjBt1bnDaAVF6+zHOnARrK35HDJDF5Q5iiYUBTZpY2
I3RAQHtyDp3cDT4Rud1J002IBnhestoOMfYs2rl/W6OZAQn/UkS2tay9rT2sQ/wo
/1VhrjivoxTRFA==
Extension name:
ta3u64
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/FFF21A5B1AC5778E
http://decryptor.top/FFF21A5B1AC5778E
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s) 24 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe"C:\Users\Admin\AppData\Local\Temp\2181579e0125e8087a3269ee8a90a973307f67eceb7122fdc7463db6bc5050b5.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken