Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30-01-2022 08:00

General

  • Target

    151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe

  • Size

    161KB

  • MD5

    39e312e75a9ba302dc0617f958458522

  • SHA1

    eab1865868367c11e0d0c5e8732295089bb277d6

  • SHA256

    151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6

  • SHA512

    275544339fbad34e4ad44b3223f2268adf4c0e46d9bdfd3a64704de5821b58944cc44bf83797090c93c8e484378f7bea199bbb50cb2eab16ad7899952cda56e8

Score
10/10

Malware Config

Extracted

Path

C:\7592o7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7592o7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. If you have any questions, or experiencing troubles with the test decryption, you can use our chat on the website, our stuff support will help you as quick as possible. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7093E7A3584ADB3F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/7093E7A3584ADB3F Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CMWtaI/Bw/GmjLibWisBcd0LSKK1wos1Eb03OxV2OtirjqdKp0mwrn4EF54jxlXj 6OPYqogzR1zsm6j8WPT96InRwH5cHglYyp8gxmVWIuaSD17kyW/iIWYEa+A1w34h uekbOA/yyuTcWvBBN02H/uGBH7fQSa4AE8vzqRpHxBqYhLxI5idx58XxSM5q/zbv pmEMyxKmfc/q71bU8b2MoP84BkE9NV7RIYbnh5cSqulmOwIv4zH5wiNgU8vqSaXo A3H+SkQebj4QTeUDLjKRhsT5/ZP0k9O1oQCcUrfgINY3oDKo6AYQ8v3ABOpBAHY+ vaD++RU9z8i1bjXEcy33kaxkUWnxhdhXYmS+c0uGf41BBr6/f4sLBd3oWAXDlLLn 7Km/Juxusgpr5RwVe4IU3vANtKRUk6JoVOvM62FEr3FpSC8FitkzBIhmKFqyF5vd UxvBanOShmeNVWsNeD+wcrhtcC5MV+fJBXEscOpIJpr/uemt3CN1nWIiLDGtW6OH 07Phbyywr0yNPd4dqvk2Ukmjq6/Xcq6kvKr0GcMhs7DYgMUBxEoIQMQXD1Aa21mT Q33X0pPA9lDUCCzlsemTSXXCbg43lXiELSWIMaD19fHhT7lKVDrVFeyFUci/aGNN jbfWP2ubE5soG2oCMhIE8QYDarnA0Wl3SHcyulC95RrwnxYnyCFLrwM38gYnlWY/ QGRUfeYRDsMUbqlJxsl0VyTKA0rkkANITd94SB6I8LUu4j+8f6XV+nejHykfFei2 QGPgHxKkzBatuytQ5Tl+xg+7+oGWKWhgBRLJioD4LGed+WYxuGFTXTy168eTa+uL dhWb0DLnm46ZxyqTjCCXKqfLbglSbTXq+DWI9AOWIHjSVhzgfYytayOOsbuqRs1H v382EwS2YTnVOpg3y+EZpKbyEjDnHOMdWs6ugDytFLy3FF5MzRz0mRld1XsPomtl y+gViOuQt3cj/kDEAJ3sADSGmKO6qV3C0QVfetlcUxwl5cVqrZuklXzT8XmvHwOq Zo+6+3xprhaFQhkEpcCnxxpmzTKzfbZ6rkppv5e2Bws+aS7RK+5FGKPfDqCwzGUL r7qwzQJLZsRgAOvsrFyvmF61uvMtdn2h3WvcfV8I/9AC5negGHvohsI/aL+40V8N Extension name: 7592o7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7093E7A3584ADB3F

http://decryptor.top/7093E7A3584ADB3F

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe
    "C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:580
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/848-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

    Filesize

    8KB