Overview

overview

10

Static

static

10

356f917c96...46.exe

windows7_x64

1

356f917c96...46.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 00:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    356f917c96ae1460bd5e127f8917b23d7525352473bf91ae996c68b16c9f6a46.exe

  • Size

    179KB

  • MD5

    6f6ac812f004bdb64d7f394f21c79767

  • SHA1

    216bc112c323d367fc2c3736ab98a0948fee1171

  • SHA256

    356f917c96ae1460bd5e127f8917b23d7525352473bf91ae996c68b16c9f6a46

  • SHA512

    d7be9ac5ca022303dbab3d19acce03e811ff170a3b5b45b2e7951346c852b0b03e7fe4eb97fb0f47ed0d5e1c009f5375dde4a61b7d9de3f0a1ac1e254c231e03

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\eb42n2-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion eb42n2. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/26C5355B28288033 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/26C5355B28288033 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: wADmepVsYSs5tFX05D/GKLdqzoyk016DPnp0mA7AbL10q394X03/BqVI9IUSb+HO lsmaZy2g37IlOlBtp+6dW649IaAgMwmTBIrvrLmn62n2yDMw4D2leWrwpLLc1hiy BmMDHbzpLSHjDmhCPOq/CBrlBWh1Rj7VOq8SsvACT5BAo6uECW0sd0oESHyhNhKH ETuT5ymDA0rroHgR+K9jue4owPOhG0uAZgx5XQ/2uPyY4bmwvbRypmpqV1obU382 Y6pVMcgTednpJA+fYjyuy+KuG3x1DwJUz7L8qcvoCcn32irkxu2vVXtqdJ68kicI 75vVVvl6JzVzpmLRakqC02oJULl8D/5s3l9lII3SzCdFMDMPfsDBU78528Rp0lzx 7dYFM2DCXO+jhnNh++lZ12M2XjRZcaXVpJCRE3bS4Zj0AhzZ/hJKAz2tTBQJUvtN OSbrVSjiuBEAZyE41mNo6Uy53i+wNUYnqi98K2JL1GQhoB+YG/jgjMmoI0i1vTnq NIhR2VLyrZeQ6Nx9eOMXlnDyfbh5yymKE3ktOcJJ0oK5ZzuJd2I/Qlu1bWNw+MKu fjOivHWHuXGqvX2eWN2rbJr8LLxFVDrrJx5/v5sxCFSHYXbuVRPFuXfmLnrGcscG QoSBx2flsyHJIVF4iMerX8PRkaSLqcivClYc5svGg6bLP14cPdZiCQvKk5oLxGfj mH/ghaWSNPIeZkzAV7vS+9yqfAE1Wg62lDfd2bgrUg87MTpKaW1OTPe5EMegLdB4 SF+I4MUvbQH2055ggyk+PHk9HjUBKAwHG0q+2BAhnhIe6LwO122dMYlMfwpGZqNx wC1bYGc6C5GLX5msbQpUGtsqXaDpb8XHm8n1lCKHb5o220sxVC9REx/iFr+s9Pj5 Z8PivVVQOT518+N6uA3OqvCYw+mqsm8BD9ltd9HNYSWGq6kw9zWQUIJpM+B/R+NR ir5MmTpSclbRS29zMrFyg3srLFuIAk8FzLs+dQyO76hP50ICGS1uRFiCWL1p6Zxn IPvZ+R9hzzrR6YMD34pW7ZDPtRaAxE765DdvZRIinxIY+4B34/TMGecT7RS9j30T TyzjtJyf8Chs3vo6JAaPgs0fuB8eWFqDixBHWSHW/8/GqcYV/x3xDyP6JuTTSj/a 2dGILdGQMBM= Extension name: eb42n2 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/26C5355B28288033

http://decryptor.top/26C5355B28288033

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\356f917c96ae1460bd5e127f8917b23d7525352473bf91ae996c68b16c9f6a46.exe
    "C:\Users\Admin\AppData\Local\Temp\356f917c96ae1460bd5e127f8917b23d7525352473bf91ae996c68b16c9f6a46.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:4728
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:4892

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4728-130-0x0000000000000000-mapping.dmp
        Download