Overview

overview

10

Static

static

b8a3da8c60...96.exe

windows7_x64

10

b8a3da8c60...96.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    11-02-2022 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe

  • Size

    107KB

  • MD5

    40c01e02dd940c2b3ca1466799da68fd

  • SHA1

    daa2b8467edff06bf3f8cc926534bc088049a092

  • SHA256

    b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96

  • SHA512

    831b89e00addfbd4e78d90e61ae6874ad6fbe4482099dbd894c4f23236edf72b5d0c86dec72a4f592f84b60e3d3f0797c1f1ae86aaa78d62a5d96ab6070ab2c5

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 4agrfsh5tx7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/913AED0B5FE1497D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: FP98YeJuPz0bim5rthPr2vO1vLwHs3BLgpIZ59VSUIhdj4cdiS2Ao15UAHMNsBB Vxo53efwuM7WtNvS1sTiaAAhotyYxwIkSGMp48j9CfIyqfMGPzVeYdlUwGRJpG8 7DXEmBFY2JUf41M1JhrJ7anLze13xrZT6hLvTbjEJbdVD7rdkPIm87BhaLOHKMk KtBjXqbhs8m9g6RH2xXShjxU8gnUHMb470TmCXUwJsZnV8ekIDWUw4Ck5ql1CGZ fgsCpnoFeclIzJJ9ABDLE0HHDxsrWwdtDS4Hn6y6e811LvNbvqlz94VoZk9257s s91FgPCVDMGrF9P6RkR5pLntI7PrC76BgQJ2UpqLtVhn3MQpKorRoCDgVH6j9US GPFLzzWml3FLUoA06rkhYPpWdMmhMtGMZCaXyBazxCFYj1s2URA2Zw41ksrmNzZ 2x3wSNmC5QutWJRxmeuM5tNwmHjxFTym8mNkpEaosOEmoDirT5FIdmeIjGKKoz6 lbHut5qHhDFeqokIjj1dKOqJVIFBj4Q92SdLhSyvnxhEXIxe88kkxVwXv8Yk0ph nxFlYLZkQvF0WqlvNVkClTpMggFZi3N48P4RShZTiXUzrfZqJMLPQm6TH3E1F9C XhK2HwUdp5RdO90eBHYQVr7oVTkKYchNiU6RhmR4ztfT8JsURYCurtqpjfhyMKE NYE43Ci7ZzeamLoqMkQ3AawgzoQrBFdrpoS54OyRsbn5NSDe5zUN6REwliFOw15 UWwv82tw8w9Kix1SglwwMuPvYkgTVIje1fSibhFlMCWb7Gf9uPjnAEtkGAXXWZa zMeTDeS19fKkJXxySFgiGj6ewwscaJrOwmhPcwcfbXjIzejMSLFS01TPP9hQw0b zx5xhziVfmBHt9xpSMfJPEZY5SR9dPLsl6uU3qCXuzjpztkPcTPDRrLvYh2Ohi2 QaSfwPdwlKIYZetjLsChJAIb4u86WxxzL7TPgOx98hn2JSwQp7rgfBsPS1lCQhZ xXSNbKeC74CilWPSl7rQYFQTJPD6pmvtbHzf0EUGK4umddG3DiAEiQBrG9DMGiX UITGdhtbgnlFdVo0qIK2GlqKLGHY0BI9mhZdJWmWTGdb7KhWcIXD5pQsbI4XZUk felc55KqTgyi9IPNBjv6snED7RqBBbP69g76VrlaRbDhHGQkM53xnY21aifoOJp 2Q1jdLS2U8UpQkg61BGzFicSlnFgwL6MI Extension name: 4agrfsh5tx7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion

http://decryptor.top/913AED0B5FE1497D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
    "C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" netsh advfirewall firewall set rule group==”Network Discovery” new enable=Yes”
      2⤵
        PID:884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          3⤵
          • Interacts with shadow copies
          PID:1136
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1508
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1836
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt
        1⤵
          PID:1208

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt
          MD5

          700dea0e7f32ca9ec626045836fa14aa

          SHA1

          84b6dc5971f29c01235e1a2044c4ea15a50cef08

          SHA256

          571b9be1a61df21379762af2d340505463e4697983489990fe679d2055d5d7bf

          SHA512

          7c320c44dd6887280768daa5f7598ed1938d12fd8e6a55ea38c26a66fd86a681dc3b599777f7d000c430cadbc8833ad70af6d18989b67ae1dcc4121168d126d9

          Download Submit
        • memory/1520-54-0x0000000000860000-0x0000000000880000-memory.dmp
          Filesize

          128KB

          Download
        • memory/1520-55-0x0000000074B6E000-0x0000000074B6F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1520-56-0x00000000766D1000-0x00000000766D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1520-57-0x0000000004B40000-0x0000000004B41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1836-58-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp
          Filesize

          8KB

          Download