Analysis

  • max time kernel
    150s
  • max time network
    173s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 08:00

General

  • Target

    151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe

  • Size

    161KB

  • MD5

    39e312e75a9ba302dc0617f958458522

  • SHA1

    eab1865868367c11e0d0c5e8732295089bb277d6

  • SHA256

    151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6

  • SHA512

    275544339fbad34e4ad44b3223f2268adf4c0e46d9bdfd3a64704de5821b58944cc44bf83797090c93c8e484378f7bea199bbb50cb2eab16ad7899952cda56e8

Score
10/10

Malware Config

Extracted

Path

C:\5j6vm-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 5j6vm. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. If you have any questions, or experiencing troubles with the test decryption, you can use our chat on the website, our stuff support will help you as quick as possible. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8730FAB1410035B8 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8730FAB1410035B8 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: N4vDeyvoWaXIstdHFEuTIol3mvr7bpdpEQBTiSk/f3x0A0zcbyFGay4p0OIlFYVl wC/z1aZPGC/pRBW+wNkIUKUZqSeXrn7hiFCipggZmBOT0VujQLhHLAhzqBLpxcup vL+LueqGQ+HiygXLdV6Gu4Nj04/vGJIiIJMceBMQZp9JC4rr0+PagZBLX829n0CY XkJzBoiINVkKAZG+3bxDOw4DV2Y6nwK9bQW3KcEa+wNU0p3NDZnzBgZIjVGAM3AV HketYv13xwRjkCpXd4RcKpmDMiWBA20ztSuQo4vQUay9Tf89EAedts4BwCrx8kwd 30JB8cbv1XcMmK0CZNnqXA9SdILVPBNcavqv55CWsYFKiZ3zm/mXWoJU0G+PnIwl lg52TH9OaOt/Ic43Min9Agg1BZ/YLiwMtKhdfO9usdnDnsqhzBaJCwR4liKDFbb9 iMblfJupawM/xxqaWge8TLyLiVh1QgPFmm50riULJBtY76xWwONFC74yjfIfiuz4 5SSeLwMBWm7Ky2COpj8V1YRzD6+9JldCRR0kaGRPII6Gi1YqDJMDhpAvPar8xYM5 A0+YqGnG3HpbVolKkIhLpx44FiBAzi2Xm5T0KzhDOZSHyDXP8xYhToEwuqZtI4s3 dl0m3A04N0XKIBi2bfkaRm5MsrCwFc07plqb6/W4FafibvrZoijD7Neeazd0z6Ek q2gZLTQ8dFYAQZ10RjkC3RiXjzR9ax2P+Dw82ZVnOo09Bckzbiv246+PSisiX6+Y E7j89scm3O6KnwvB/+Ez49ASEE60yNaRZ0RHzaDWvM+fhV9PFsKyJe9JRxQbOGLa GbIeHKAgD3yvkC+b+6FmCgP2gHJvU+pb9IVb8gQrr26Eg2zIB4Jo+NebofZpft4K z5Mt/Cw+I5VTSmGralpndX6Yeik9s6yPNUsdirBlJpAg3FYHvN6TbkDjdmU8mIWC 5/ApYu2S4ttrK80dkJ7RvQUsEOCyUVCmg94wSAZn2oO1Bu4hayo/Hdb8WRoRjDtL s3g72Tl4igoWeaRS0w/kk542V+LDWsLH3ko0jUXZfZDWb8oz4I5UZXCnAnQTNNcr MYAL5tTAEGY5n71oQ9ncb8ZzYkTXJa9ubaGC3egLHP0sXxGT4U0= Extension name: 5j6vm ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8730FAB1410035B8

http://decryptor.top/8730FAB1410035B8

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe
    "C:\Users\Admin\AppData\Local\Temp\151271bf05310f94cd33cba3eb90be264edc4828c04e4e82f492b8e2576ee7a6.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:4016
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3424

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads