Overview

overview

10

Static

static

246aea5a28...eb.exe

windows7_x64

10

246aea5a28...eb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-06-2022 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    246aea5a28ed117238ed0da8e6c96a9a9f1c627613d0f9f57da3e819f57231eb.exe

  • Size

    263KB

  • MD5

    ef777a861ede95d3b02b0b135952d43a

  • SHA1

    39e4eb1ab854c4a7929e8e77ca0dbca37049154d

  • SHA256

    246aea5a28ed117238ed0da8e6c96a9a9f1c627613d0f9f57da3e819f57231eb

  • SHA512

    6def21a6903d0409249d7d076630624377b97fb98ddd4a3f24e0a680e581cee7c0c8c5a207c3c64055c26a2823af1c9c2013f993e432b549865666f98a832735

Score
10/10
sodinokibi827ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

8

Campaign

27

C2

tweedekansenloket.nl

adabible.org

magrinya.net

pankiss.ru

eksperdanismanlik.com

jax-interim-and-projectmanagement.com

motocrosshideout.com

apiarista.de

fla.se

kellengatton.com

letterscan.de

awaisghauri.com

forumsittard.nl

evsynthacademy.org

birthplacemag.com

epsondriversforwindows.com

slideevents.be

xtensifi.com

tecleados.com

triavlete.com
Attributes
  • net

    true

  • pid

    8

  • prc

    mysql.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    27

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\246aea5a28ed117238ed0da8e6c96a9a9f1c627613d0f9f57da3e819f57231eb.exe
    "C:\Users\Admin\AppData\Local\Temp\246aea5a28ed117238ed0da8e6c96a9a9f1c627613d0f9f57da3e819f57231eb.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:3784

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1908-130-0x000000000066C000-0x0000000000684000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1908-132-0x0000000000400000-0x00000000004C8000-memory.dmp
      Filesize

      800KB

      Download
    • memory/1908-131-0x000000000066C000-0x0000000000684000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1908-134-0x0000000000400000-0x00000000004C8000-memory.dmp
      Filesize

      800KB

      Download
    • memory/3784-133-0x0000000000000000-mapping.dmp
      Download