Overview

overview

10

Static

static

1517567961...de.exe

windows7_x64

10

1517567961...de.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    09-06-2022 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1517567961fdd39a38d45efdf3655e396230c509a910d5277d945f042c4194de.exe

  • Size

    466KB

  • MD5

    4a6e54e01ebc60f16dfc391595af795d

  • SHA1

    257ba02f122943f7fb53c9c6b077c3ecd383194f

  • SHA256

    1517567961fdd39a38d45efdf3655e396230c509a910d5277d945f042c4194de

  • SHA512

    d00ce38d5b8611282d6d8a6c981d845f2946861a6ed30ddd2b06e726009b538d3c42baa9fee8b2cdace918d4ab24d25cdbf1c9f8bd82d21860c5a901c3e2b927

Score
10/10
sodinokibi5750ransomwarespywarestealer

Malware Config

Extracted

Path

C:\2796x51aq7-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension 2796x51aq7. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D705E46D29948AD1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/D705E46D29948AD1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: KxszZvkvo778xTuOYrpNDgNqPe3SaUmydlMjZsQTGVXuIyEtnkWJJht/9xK7U2Y+ iClu7th9yFcSQceSz5WCNgTt+XDDiaA8NFc1Z90uDY+pCzqOgI6n05nTIshcHQ2G RtQFQuGG5Rem30HhbDemJyt42R2wUPAKiKEf5yciyQqC6V6SNSFBgL3BzBFthhLI O5TeS6vywLxd/+WwkPRWC79oD9hO84YU+B4qkWZhBpVZP81AZIDnE7ZGpGDL6bEv UBSwbs0l5MAV1wRPkskl9d3bl4amqzYWGUKMi3Y1mz5vSw8wBIkHSCdiZK99qd8A 7THNbPMAYvojmY9RmDtbyN1ZsLI+ZhvfM2ib3PWf4AybHbz3PjYvdn7ZbWtWcZ7G kqvhSKQGu+ZHzmXbox+EYRhdctO0GOWS4kxxy9mLdzyi7tHJDQ0MP9zTElxsjJty V4zN4JbeZz+nvJq1OKu2ClNA1hZurUct74Tk6jc0Xxy8U2jDNVri0a8Lv4sbLzzQ rMDmRcZYosbcQzEX2+zDZuhs3sZVLl3EIOb7JO89JTL2fRLVxvTtlfS40VRt7w/c KZst0tH3XJPoSHV38mwjwJ+2x7WgwyllQ+dulH7IbQPjoGSFzF/O6r+SAwz9AraP bD2Wh5OEq0SsBBj9MqW4EiNZbyBHs4+25rpI0R86zt/MAGy4djTzXRRdqBI8BRLI 4Pt28EJzTi+OhxTgChdxNn33TU7alrVc3BgxmbeYTzm/7h5NS4y0VwdbDn3F+Gxq pI6pftv0GkPZBPyZcHaNn7BHVbPo/DrFLtk0ou280PrSmJZ9N9NPCGWBjTwAIXnt eQsd7mNMP0PTTklxIx4RvnrZf3cBvo4qwmS04U3t/4G+u+tCxco6REWax1IgC6jB OWfrR/XxviZB6FGgF6aShyePqMmDjEHoFE9LEJlmna7+yuqcL1G91liKNXIx6mkp cJe9I4Kuy6c31Vh0aj2G+8galcYgBROllfxFK/itT8EGKo8Ar9oo+6VxgCTBJ8IT mkGAyZknUG+YszhcCvaWBiV+0PMKVJLMwHcvBcBrRw4ls77mebsR5Pu75+goASTJ fN2b7yKZtkVJhx3cCzPvuPWAbX3NclAZIH/Pa2I14m6ATnugAxxt9P9ka5fPxBHA X0hDdHQOfTTyMpdbpVw= Extension name: 2796x51aq7 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/D705E46D29948AD1

http://decryptor.top/D705E46D29948AD1

Extracted

Family

sodinokibi

Botnet

5

Campaign

750

C2

duthler.nl

test-teleachat.fr

powershell.su

gbk-tp1.de

theatre-embellie.fr

awag-blog.de

bundan.com

dnqa.co.uk

lattalvor.com

funworx.de

premiumweb.com.ua:443

slideevents.be

housesofwa.com

rossomattonecase.it

tramadolhealth.com

rentingwell.com

thepixelfairy.com

rozmata.com

nvisionsigns.com

fire-space.com
Attributes
  • net

    true

  • pid

    5

  • prc

    xfssvccon

    ocomm

    ocssd

    visio

    isqlplussvc

    mspub

    onenote

    sqbcoreservice

    synctime

    msaccess

    steam

    dbsnmp

    mydesktopqos

    outlook

    excel

    thebat

    tbirdconfig

    thunderbird

    oracle

    powerpnt

    ocautoupds

    wordpa

    winword

    encsvc

    dbeng50

    sql

    infopath

    firefox

    mydesktopservice

    agntsvc

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    750

  • svc

    sql

    sophos

    svc$

    veeam

    memtas

    backup

    vss

    mepocs

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1517567961fdd39a38d45efdf3655e396230c509a910d5277d945f042c4194de.exe
    "C:\Users\Admin\AppData\Local\Temp\1517567961fdd39a38d45efdf3655e396230c509a910d5277d945f042c4194de.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:2172
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:4252

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2108-130-0x0000000000725000-0x0000000000747000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2108-131-0x0000000000725000-0x0000000000747000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2108-132-0x0000000000400000-0x0000000000522000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2108-134-0x0000000000400000-0x0000000000522000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2172-133-0x0000000000000000-mapping.dmp

        Download