Overview

overview

10

Static

static

SNB_Luhut_Balance.exe

windows7-x64

10

SNB_Luhut_Balance.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2022 06:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SNB_Luhut_Balance.exe

  • Size

    555KB

  • MD5

    abc7e381243696168d77faa90f408347

  • SHA1

    8cc0bcd7a8701e58e689231a7250f1e42ff06f52

  • SHA256

    dd59a759331f7d6c46ed43cba3d55b8325985e215b94027972006c06b1ec1f1c

  • SHA512

    41e4e8733008cdb1cdd29ad6ee8d9aabcdd4639999d3d83a012c9ce12141ce886bb13b5d91d86df22e5b18f618436e0bab769f4c9a0e4a4f814a34ba9e0c3592

Score
10/10
sodinokibi3097ransomwarespywarestealer

Malware Config

Extracted

Path

C:\u2uyf5j6pr-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion u2uyf5j6pr. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/09FB79390D4F2BE1 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/09FB79390D4F2BE1 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: VUepowsNg/zw/zxRH7Mjf/VGZHhhw33X0L8jxJc11dDUFpxPymkHsmyv1jkYJRo2 4suyk6nlStHuQQ9U/NdwYfyzuOIVQX10EItITJr/JwATlzHHA6cfIFyzadugbHCO 96FPoXDKkh63SkXu/sCBvSHXCdVo+K2nkxXRBVKoM2hUf3TDyePagbr4Se9OjlpA lhTWFXzWeKIjYt4c2H2Set1RonDotxGJhG2+Qz9MXWZTLYPWPHwNtzZZAa3cWFjx PtFysrmQHcbcdHLMbKLmmVVeg5qBX+GA7vl/ngPHssSsxYTWwcTRcBxSq8MVgzGr gkb3Bg+mm1pHck5+mKPkwuld+hs8Fb280w/We7yvWGUj9sCFAyVsMGMn4fGzIinD wAaSVjngbU15xmCvZauGAIUc0xvLivaw+iGd5E+AN2EFAQbHMansNBHJ79pXZaY7 m16qTaSGbbetwAIvLg4Vi3JDq4sdtJsiAXTkwzX220LgFGrwXWy1VVnjzaUFLqeF HoBbkh18cOpU6Ep2xai2CtPIpPGP9QuBhXzf7ownn7W/exAHckgi86xoImwUw+SM 50btd4iMRGXs2ZstAfIQ+4jEJOQNXhCx1PZuk5dt2arcFTvr2Db6J3XsmYTbNReb FMkh4uZsy8QVi4/K6mUwzUctUq89IwfcBaWBABcStgctQ7gaz0eCz2Lp4GIgn2ig ODzfhuvL+o6SyRs2ejmOMRu1nrsOkxmy7TP7OHzOFrrMlNttG361aRP57fchDw+K XmNdf6ywmMgqJeSbHnHrZFqzqKzlU3IYlxEheUjLTFzNEKJQmBXE6ZGXfT16Dbul jgxdba/ETTxX+1/Oo+B4s/+qkYfJRVFRARy4j0XWl1vMWMZh9w1hOUXQmMbN/6kI iZ+HgoLuIpDWeMT896GzufqmBBCjj6D+X0dF8cYKkyRZhZjeBvmdQ6be9btz3m4I QQ793oz7Sb4vFLGYifrshh/AXgzFcZF0ZLFhwdw2DwshwYaYY0/31uIRljNVzzZn 1WgJujyQJG9zPxreMQyLdwuSUXwjQsUSHv94KEXPrn4LBh8FIil5HbykWgTm8CRj 26xAyqU3wbcZrzlZXuPECoQfpkObnNZbGAtbdlhCJugR51Uc3o6IpRNZBBRFZbCH /J8xAesS/JRb7gctC/o= Extension name: u2uyf5j6pr ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/09FB79390D4F2BE1

http://decryptor.top/09FB79390D4F2BE1

Extracted

Family

sodinokibi

Botnet

30

Campaign

97

C2

sytzedevries.com

druktemakersheerenveen.nl

energosbit-rp.ru

business-basic.de

acibademmobil.com.tr

leansupremegarcinia.net

worldproskitour.com

shortsalemap.com

pansionatblago.ru

humanviruses.org

ya-elka.ru

block-optic.com

silkeight.com

carmel-york.com

unexplored.gr

hotjapaneselesbian.com

forextimes.ru

avisioninthedesert.com

agenceassemble.fr

keyboardjournal.com
Attributes
  • net

    true

  • pid

    30

  • prc

    mysqld_nt.exe

    dbsnmp.exe

    ocssd.exe

    sqlwriter.exe

    winword.exe

    oracle.exe

    thunderbird.exe

    mysqld_opt.exe

    agntsvc.exe

    excel.exe

    ocautoupds.exe

    encsvc.exe

    infopath.exe

    mspub.exe

    msaccess.exe

    steam.exe

    sqlservr.exe

    dbeng50.exe

    sqlbrowser.exe

    onenote.exe

    firefoxconfig.exe

    mydesktopqos.exe

    thebat64.exe

    xfssvccon.exe

    synctime.exe

    ocomm.exe

    powerpnt.exe

    tbirdconfig.exe

    sqbcoreservice.exe

    mysqld.exe

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    97

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 16 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 34 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SNB_Luhut_Balance.exe
    "C:\Users\Admin\AppData\Local\Temp\SNB_Luhut_Balance.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:3048

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/988-130-0x0000000000892000-0x00000000008AE000-memory.dmp

      Filesize

      112KB

      Download

    • memory/988-131-0x0000000000892000-0x00000000008AE000-memory.dmp

      Filesize

      112KB

      Download

    • memory/988-132-0x0000000000400000-0x00000000004A3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/988-134-0x0000000000400000-0x00000000004A3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3048-133-0x0000000000000000-mapping.dmp

      Download