Overview

overview

10

Static

static

bcdb6f903d...15.exe

windows7_x64

10

bcdb6f903d...15.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    05-03-2022 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcdb6f903d091cb844238510062f17f9c16d96959b1e2bf511de0e869ebbc815.exe

  • Size

    680KB

  • MD5

    d8c45725b2b0654be969ea1366e1994e

  • SHA1

    38feb428aa76ce397b33865cfd26a39bdbe3166c

  • SHA256

    bcdb6f903d091cb844238510062f17f9c16d96959b1e2bf511de0e869ebbc815

  • SHA512

    3975f885b650830c9300ba05c38f45869172d88bf8e20a270a9543dc30c75ef8c329f61c99caab8e1688df7f520fe7cdb06804586ba497ca9e73b7536e8fe8f1

Score
10/10
sodinokibi73ransomwarespywarestealer

Malware Config

Extracted

Path

C:\odt\u92765k2h-HOW-TO-DECRYPT.txt

Ransom Note
--=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion u92765k2h. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32990CD05EE208D9 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/32990CD05EE208D9 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: J/ii49jv1WFoOwWbpHoG600NVesuyYPFiWuARbWy2Zo8yTBGUul3PCL+7Uue72Tu KDU7NBNKFiydzXU/m4XpQ5PLPSAOgXyk3yR0HTF1EoGVzl/G0IbhyV7oKxJ9GofL jA6Fs9AL5RHPS//0TdDFFzQN9VjsiI++98KdiBjYQfYJLlvmSIousCd34y95qn/l H+x4R7w7V2DU18MyL5OWIzUpVqFVaGGdXNop9C2E8sRdx4ciAQS/B9L1klZxFXn/ goz7hbqIA/wiyzGNWiKywGQiPld8tB8OCFFLFB5v1dqQ1cVODv6kqFNnhd3/sqh7 syJGCY1lJZSduK9vzTisDDf/fMn500b+Fpu6nCORQy1EWS0Gr8EVB07ENSrLIFwu fmiPngY4xHIGRCUDcrOE7JyjSkYaEj2gFzqJi26Vu9WSMyZVj05vHrv5maby2z6Z IDD/PSdoSY1KPFtM7rHQ+mEqzVyVaiZ8Sf0AtZ9OMZxWnLpPkwtX4TQQCY3HyZwu Wy/++B+94mQq3lLUTJFPYN0Yc7h0arwfCdKX+/sVV+NDQ+tR/VCDehuY4PvvTshu pxkUOonR5hs0KWJuhdCbPwWGiMdGZMkT9gSuOC/6bLoZjA8NxdZO6hAHqC2qHlv6 3v3P77OeHjkfXzrX3quOM8ydSAnMqUImQ+RKVNVXIQ3cJVV3/+W4kw4A6uYfIx5/ m9mtaTtFcWUO8RHHl+EdMIYeCJuFQW+dnziWDk+N/nNAMU9erLbpkDxTeTeBOcUJ BMU69gJvQRGEckXtx1uGB2Jf/eeabI+R35XvQLDzUdvusJKPbjxAZkNebxqKK/G0 qrizEVxK8gQRrA85DRev485K7CvaOJy2mpzzEgHg4LnQAhpABdFJvDx0t9W95Ijj J+NOvRiKxaGc4ZZhCEjotqIFgwJg/4sO296sbGSNcmgn34Vi4eK1XfTxPREUC2RI qKTJexUj21qfHTBr/J3PnfxMjpaXGSxs4TvLKi0eV2OUL16yLF8g+hTHg68arCF/ /9Dljvt6C4/DVidAW0V+9BOSt8UabpKt64QLefuOtJkxLthsWLHcAUva+lsCIQM4 SIVckgPbBA4ebpexv72OiRK+gYA= Extension name: u92765k2h ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32990CD05EE208D9

http://decryptor.top/32990CD05EE208D9

Extracted

Family

sodinokibi

Botnet

7

Campaign

3

C2

cymru.futbol

altocontatto.net

rvside.com

noda.com.ua

christianscholz.de

wallflowersandrakes.com

tanatek.com

pinthelook.com

tastevirginia.com

campinglaforetdetesse.com

poems-for-the-soul.ch

k-zubki.ru

selected-minds.de

smarttourism.academy

the5thquestion.com

sochi-okna23.ru

osn.ro

suitesartemis.gr

efficiencyconsulting.es

kickittickets.com
Attributes
  • net

    true

  • pid

    7

  • prc

    mysql.exe

  • ransom_oneliner

    You are infected! Read {EXT}-HOW-TO-DECRYPT.txt!

  • ransom_template

    --=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcdb6f903d091cb844238510062f17f9c16d96959b1e2bf511de0e869ebbc815.exe
    "C:\Users\Admin\AppData\Local\Temp\bcdb6f903d091cb844238510062f17f9c16d96959b1e2bf511de0e869ebbc815.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:4556
    • C:\Windows\System32\Upfc.exe
      C:\Windows\System32\Upfc.exe /launchtype periodic /cv gOkHijodRki0uf9l4WYX7A.0
      1⤵
        PID:3160

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/384-130-0x0000000000400000-0x00000000004AF000-memory.dmp
        Filesize

        700KB

        Download
      • memory/384-131-0x0000000002420000-0x000000000244B000-memory.dmp
        Filesize

        172KB

        Download