Overview

overview

10

Static

static

10

048.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-07-2022 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    048.exe

  • Size

    404KB

  • MD5

    0404a9cae8cfa9d41af806cae65498da

  • SHA1

    8cd0d5b397e6ce5747bd37fdeb877e95601488f0

  • SHA256

    fb872a27ca16a1c14f58076a0a29fb3166d0bac9643b3ab49aad3f29f6927256

  • SHA512

    637455e998cb9964d35d05dce65cfaa06e992ad16aa8f4293b59c66d9a61bb26a0260f2afe14f746d440a7e2c19fb057117fe4c5831841e3c608f97df8ec9ff3

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\odt\54vch88v0w-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 54vch88v0w. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B573CE234FF30A23 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B573CE234FF30A23 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: MIuWa18Wu0LEJZ/nyIon8QfRQXGn/s2HbC7lEfncxfuK9Ai0J6ngFlxozGW1rBHV yWTQhIWgsxe47LOdN1zXCc/e8uW1VWEJx1+EE073I8R7pbG7/wXAHGdBl0+beMj8 I1sWYNPimmGnQRsIqJiZSelSgVSI+QNcPce4mVGvi5/faMa7pAORLupWfGddnfiM +wXDp6YgColdh2FXNnItm560zt0jslE4X+o5SqIg50vwWy8tqwoaWTLDDl19kPZg KoaeUg4qalpQrHdUm7a25w89W0AG8zWiNGYOS3nId0fmWtwwowOkgF/LIvB7f18e h4C/E+DokrN5wUijfc2YzNnDfOZ4qdSmhfjUrp9n10IAUfXQiFar+YmnyK00k46n GHVTkHsoJ8FkSwimRoJjwgZzl/Re42+CgyL67Iyo81Etsqj0GhEzCtzMirH8uOgA xjEydvuk9Xf3rJH4WXVBKpCYktE4K8Fe6ZqtpVid04NQk6CUzLLXqQZ3D00cndm6 0tFJQKX7+0PUcyCxHWDl2O8HPakfDJnRrN2z9ZZIaT/jK/WLCXUKhOy/vtGre5pY GEey41eRN5ATsGVXsu2QoqO5N0UcVQdMKcXyUO1vUqSXVAlju/0H32bZq5NKtgyx WeTNTNTi9Co4Dzk9tsHncgUwkWwAcDczImCRAd0QD8LZbQuVd93YHav0S2Mp0tKK fF9H+Obttq8KI+kqNRF2eZXHO2SD8FJBlznWA0OYFjz1ZwPqv5hH9ZW54f9cR3e2 8IJTB8bYZIjXTdtM8w/dcVgQcXwhIlx2pFT+pT1z7DYm1HkEmSWOBuvbhEJkIMV3 qXU0d1X1Lgxfq/PthAClbWLGhjIW+SQ0nIzq3y6WkQk9AP60Yvc3ME151OaIHj99 fbjMAABUDtXaFOcE42erse4y6/Oi4eF7sgFycQjR1skR4DTUmtbwSuXWDKAOY3JS rXTXig/c8uf4EV5RjCyfuj0Tk3AMpDXxkISPcwlVw8CsiuocJTy9kVeMkQLhKSeH zEEg66WYVLu/zj8HqxwAlrS52pDLltD+jv4Sdr4xtYLmT1TgOlZNWGIiUMYo8wTW X4rlMd8g0O/sCq1cQ7dbJRwP9QxSDvQT Extension name: 54vch88v0w ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B573CE234FF30A23

http://decryptor.top/B573CE234FF30A23

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\048.exe
    "C:\Users\Admin\AppData\Local\Temp\048.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:1164

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1164-130-0x0000000000000000-mapping.dmp

      Download