Overview

overview

10

Static

static

b8a3da8c60...96.exe

windows7_x64

10

b8a3da8c60...96.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    11-02-2022 10:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe

  • Size

    107KB

  • MD5

    40c01e02dd940c2b3ca1466799da68fd

  • SHA1

    daa2b8467edff06bf3f8cc926534bc088049a092

  • SHA256

    b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96

  • SHA512

    831b89e00addfbd4e78d90e61ae6874ad6fbe4482099dbd894c4f23236edf72b5d0c86dec72a4f592f84b60e3d3f0797c1f1ae86aaa78d62a5d96ab6070ab2c5

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 4agrfsh5tx7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/913AED0B5FE1497D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 8615ysoU4dypOy7xCbDZ3SrvP1yxBZwkYPHz9wq2x7nYLMAd96PfdfLqOFq630T eqNQ8rIyQuKm5oTkD1UyEKRH2Dak3Gt86oIr85Bw1I9uS3QC5fnFiCOUYGX4Qh4 JBMpRglmHzi76Khz9xYoYdoZ4axS1hHfTOztFN8fT2fPAERJ1RYG13fqWxv1tSu jsCosVxtwz3Vf7YZzInbkJAoZtJWScHwAI5g7ajyEhmR8h9s8Y5sF1JasYO8Mab UrGUXB1bZizXDhtp1taY3gZrJ9fyiMkmnFRj1NmrG6gKQeG28sWPvBhxSZLXfD3 N7Mt7PJyoHtS79Oao3nzzzV0lheRcCOLDDTMDuImz4rHCtkyD8ge2NDXlWIZv2V l3iP4pCX4uAA4HOx27pNdgtSz96kqms16iGNedqJBlmt2MJPXjPcGo2FJPZ4scr RBIDVBASYQfM249ZmzqNHWQvRqAEODvaj4UsuJxOWQ1LkcALK0xEBOj4vXvpA6D UeEn8jRpdCc00fFKzqz3YQqYUUZ7WXHNaMgqfzBl2LTCjYtZpM69LCpDyqToKUS F5Pan8YoAoNBN7oz5lARJbIBXhc2zfXbi2NGU8FaRi5V7BbGJ0XCJCIoxNCFggz eQwcUthf7fj9lfwDWGVs8IURftjTG594vsbELiGXmVZhjDhIAJq9Kx0V5f7lKOY CfpO2Es2x98GntxrcMaT6PAu72FIplfNX6XC4yoESQ2ALrNmIxeYt5bwf5QA8jM MdvsqWvxniVBpXAiQpdA2GHdcekg9hnFsDqgZ8gPX910Y4wZeWAVfiUFWSPLvOy G4QSlrdJRINn3PQFisKBngRjKtkJHsUdILv5HlKsBMsMS5a0FNrclMLjmqI1GUB iytereV77icAayFQOTtD4B126ALSbdSlrLKYjasWuQt4ILvvhZ3iWQHh60hrSCf dQ1TPnqrxkXSnR7uvPavCktOaDmct3BDsuQnR1fH1sF897dP8Fwc1Qd3hm2LAN7 4jUk3BUd3tT4TeuPdjXenGiLbQXFp9UGnuLZoXkNnm3tiWJYxWZmntUxAIImnOx 3YNRjTUkG8J0BNynEH8SSkrd3aXZgO8jYy9UVFkEcwSnd2TkMfDfp6fTruXJ65E 2AkcMNdR9g4zgRD9BHwMBKc4cTpnlsaIhran3aGWsNE8vG9CnuVCJsDrhp93hzq QGvSy0aGlAaexGeJWTnA1WY8yotGNaNy2 Extension name: 4agrfsh5tx7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion

http://decryptor.top/913AED0B5FE1497D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
    "C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" netsh advfirewall firewall set rule group==”Network Discovery” new enable=Yes”
      2⤵
        PID:2172
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:2564
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:2184
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:3720

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1944-130-0x00000000751DE000-0x00000000751DF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1944-131-0x0000000000EB0000-0x0000000000ED0000-memory.dmp
        Filesize

        128KB

        Download
      • memory/1944-132-0x0000000005990000-0x0000000005991000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1944-133-0x00000000058E0000-0x0000000005972000-memory.dmp
        Filesize

        584KB

        Download