Overview

overview

10

Static

static

b8a3da8c60...96.exe

windows7_x64

10

b8a3da8c60...96.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    11-02-2022 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe

  • Size

    107KB

  • MD5

    40c01e02dd940c2b3ca1466799da68fd

  • SHA1

    daa2b8467edff06bf3f8cc926534bc088049a092

  • SHA256

    b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96

  • SHA512

    831b89e00addfbd4e78d90e61ae6874ad6fbe4482099dbd894c4f23236edf72b5d0c86dec72a4f592f84b60e3d3f0797c1f1ae86aaa78d62a5d96ab6070ab2c5

Score
10/10
sodinokibipersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 4agrfsh5tx7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/913AED0B5FE1497D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ebTRuZo4SxYjplpHnA1XYEcEoDX1GXedeqDmT42ZU3lAWMEujHXaE34a8PnrBxy 5T4F8iCxsHbCecbrb8nR9ADZkvmnERKXhFqrcHFMhToSm0a8ghLtYgz4QeeN5Yt b7EfZvuPU2atpWuxuVoHgFb9APwb7m2RIkMViUAMwS007wJigru1QRMVfFfJ9TR r9JlFKYOZUbVNPkBNGN4P2BA0X00dz1McAI1yLEYHdUgy69G4ERCvYCy7JusThv jdP2MGtMCCzxwifL4Xt6ZhyaE8T3oaVEkruDjDwAK1PA6lPQc80UklWCoyyNwzh mqvMFxbl0ltvhSxectDaqkBe8UsYvPiNUTmUKYKdAW9t00yt1TVetZ0BoQOuED0 lCfaOpdTDijZUlSnIf8hb3Ee5clp3KZZ7gXrVajEX9R6J9gaWnGOFgYr7AewEyZ 3IKcyNkSr54JclIU65KSQELTaHqtU5x9jjYx9grNwUYSKX6Fzpi03fJz70Cqg17 wI4k2NVVZN7g5q2JDLk3oW6GDajzIeAq4XlKPxE2eUJm59NIFr8f68TZLygcnfN 4NRliEs3QGrYUNUKEMauagft6EM8bRmO9HPZoXpEWysYOj8M1obPNuwYshpe2tb 9edZN74frhVXmxGeXF9GxzWAOU1rGrLMmWt3vJvO6Its1XJklCSY2moJIcL2GNZ 9VJvPEMtNUvKpGoJ1LQFEZxT9skvT82HtttWrl4gZTEDHc9DeSTr0HUki0vgeaa Pbna6WRbPQtquVtMgthRAoLRmYJy10XC83zldCCqN1EaGbkPznOw7JZkQWxhNdj Y2rr1gHtdq0EIjuKLx48NllFzdOVGPfctRpiYtstr4uGGFQAfLltTeWxRm2YRwm OLXU14MvcFLRT1e8tMNz5nvJP52Qw1Ub5Sg4svZGTZJoIND5wnJME6qlaOF6B59 kutVAVkQ8wGgfdGBC26dJrIX9l4eeqdFXai4Y1CkMXLZ7aKHUMDEEbz2lWWYaGv RTBIF4LnKzVRwgtZjbwJSnZA5kpSBfoKGl3F6RFNIi2OsKDW27x7n6do4ANfO3l pLLLKnndRWjBtuKRvgTaErqhJIOL5Dj8P6NDh83sPeflE4u4utb84ch7eoBCZbh NwkvwhGtwnlKjLFcPXUbLllEwZPj370Sx6RydI7Wn9pUSS7vYLwoEAVlKf9XRh0 yxSXn4Q8Ga7xM6QvebdLsLMNwkpo7JkFG Extension name: 4agrfsh5tx7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://wwylgcvegp33t2ytnsqa6klroq3kz643q5ceinkqb7x6232g3guit2id.onion

http://decryptor.top/913AED0B5FE1497D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe
    "C:\Users\Admin\AppData\Local\Temp\b8a3da8c60459974767732321a29b91dfea59ab5ad993caf832f2bb2484b5c96.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" netsh advfirewall firewall set rule group==”Network Discovery” new enable=Yes”
      2⤵
        PID:2324
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:792
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:3912
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:548
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:4080
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k wusvcs -p
        1⤵
          PID:2804
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt
          1⤵
            PID:1264

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Desktop\4agrfsh5tx7-HOW-TO-DECRYPT.txt
            MD5

            f36e3f7740af03ffd0e55e87c507219f

            SHA1

            57f70fd951cfd232b955478eca8ac0d7d1d0c6ad

            SHA256

            8cd2c35f118ae6995f0f09d3ec1e19ba25b4ca846255a491cce9d5310a9b2f66

            SHA512

            552d0b8ad4ee664f7c35c015e2788938f5650d4cff2065f033a7f668f10a0e2564a633669cfefbc0fcb4b8fba63cc0c1a91d9a68f84a6ec63d057531decde108

            Download Submit
          • memory/1588-130-0x0000000074B4E000-0x0000000074B4F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1588-131-0x00000000002C0000-0x00000000002E0000-memory.dmp
            Filesize

            128KB

            Download
          • memory/1588-132-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1588-133-0x0000000004C50000-0x0000000004CE2000-memory.dmp
            Filesize

            584KB

            Download