Overview

overview

10

Static

static

DHL __.pdf(4).exe

windows7_x64

10

DHL __.pdf(4).exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL __.pdf(4).exe

  • Size

    555KB

  • MD5

    e042695a3bafed9b991e345edb2446e3

  • SHA1

    6e60f589c42b4521612f5fc43e3825fd8e3f33d9

  • SHA256

    2fa8aa9c02c122e490aeee9dc0acce1fe7f3a74207cfd2e384ebfcaa56ed1cbc

  • SHA512

    fe8e1ff84dc4596bfb038a2d5777e247b8999926ea09118e50eed5bb79d931943ee54658443dd2bd18bc751a2f78356fa585c1231fb3cc91e365f8c9ede568fc

Score
10/10
sodinokibi3097ransomwarespywarestealer

Malware Config

Extracted

Family

sodinokibi

Botnet

30

Campaign

97

C2

sytzedevries.com

druktemakersheerenveen.nl

energosbit-rp.ru

business-basic.de

acibademmobil.com.tr

leansupremegarcinia.net

worldproskitour.com

shortsalemap.com

pansionatblago.ru

humanviruses.org

ya-elka.ru

block-optic.com

silkeight.com

carmel-york.com

unexplored.gr

hotjapaneselesbian.com

forextimes.ru

avisioninthedesert.com

agenceassemble.fr

keyboardjournal.com
Attributes
  • net

    true

  • pid

    30

  • prc

    mysqld_nt.exe

    dbsnmp.exe

    ocssd.exe

    sqlwriter.exe

    winword.exe

    oracle.exe

    thunderbird.exe

    mysqld_opt.exe

    agntsvc.exe

    excel.exe

    ocautoupds.exe

    encsvc.exe

    infopath.exe

    mspub.exe

    msaccess.exe

    steam.exe

    sqlservr.exe

    dbeng50.exe

    sqlbrowser.exe

    onenote.exe

    firefoxconfig.exe

    mydesktopqos.exe

    thebat64.exe

    xfssvccon.exe

    synctime.exe

    ocomm.exe

    powerpnt.exe

    tbirdconfig.exe

    sqbcoreservice.exe

    mysqld.exe

    visio.exe

    wordpad.exe

    mydesktopservice.exe

    isqlplussvc.exe

    sqlagent.exe

    thebat.exe

    outlook.exe

    msftesql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    97

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL __.pdf(4).exe
    "C:\Users\Admin\AppData\Local\Temp\DHL __.pdf(4).exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:1772

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1772-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3160-130-0x00000000008A2000-0x00000000008BE000-memory.dmp
      Filesize

      112KB

      Download
    • memory/3160-131-0x00000000008A2000-0x00000000008BE000-memory.dmp
      Filesize

      112KB

      Download
    • memory/3160-132-0x0000000000400000-0x00000000004A3000-memory.dmp
      Filesize

      652KB

      Download