Overview

overview

10

Static

static

d5f7964dc0...f7.exe

windows7-x64

10

d5f7964dc0...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5f7964dc07bb3465fbc3a995fcadd623197716480f6b86518a5dfdafc9f3af7.exe

  • Size

    406KB

  • MD5

    5bae3b513617471179f9531cd1d9d767

  • SHA1

    acbe505a07e9b974e28dfd2c91052ff0064e366d

  • SHA256

    d5f7964dc07bb3465fbc3a995fcadd623197716480f6b86518a5dfdafc9f3af7

  • SHA512

    4cfeb1c939c7d751816ed948ddb30fccf96bee7c8adccc29192b18b40865b440cb11482ee16906e3d071375b0c7ddd087ae83f2eb0ed21cd17bbc2d21586dff1

Score
10/10
sodinokibi34295ransomware

Malware Config

Extracted

Path

C:\ydzi0gesg-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ydzi0gesg. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3BB08C8D6F152AEE 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/3BB08C8D6F152AEE Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 6BW8dkpuxSL/ZZQ/9Vyf/rLYUEVQP4w5qmBupvAMezLfgAQjzAKXRrIPgXQbbw1t GZfLT2XDHYuAZMPYIliv4dvRMrvJSh/4jyrVaj4Xt73XlNJK0xUgsshrSfk/ggAx VDpbslm5RugJJ3nHO6M8QwsyZ8+dnbskv/m86JYyENpfIujWU1X5Y/3N1bRq3vLY +I1kizZFNtXrX0TFKi9duMNsPX7l90BCLYE3E2UhJFa+FA+cYN8f9xnLhibizLzR XCNchMXZlymz0HLc3aQyzfKzENiXrPe2hZbRYW+2fBlT6mgf5fWVoXeuYNxh6FIJ 6YWEXk/NZj/hB5tZ7ltSbW+WXZqizJVmBU9XNzQia8z2G7XNoniZjuW2RJ19WLlm BpeACK9ZzqFCIO61PZjWUQ6J+XLWeaFnXt/wW4qNpqaYAKj2nVIPtAOMNZ2cRYm+ 4ITx5wgS3JaoX076louTCo9qOCZFpgkJi3fQGiLhpUlePC8seSt5B3xNi4ndi62C GLyxQAIDrdtCPZww8vqKkwnDqEBeU/VjN3HLwnkx5B184HCufMriJPc4neDd6vin bxKEvZHHHJP587m6uXOurjdpA1QuSa1O/WIwUpt4vnjhwnMPDcN6Iet9zvGamOjf SWmfhHA+LbBPUofiL7APJ5SBwYMj8HFbEWD/1KEDpz4abnWoTnz7rWJRugewSVU7 2Sgv/1CzonIdONbYroZQy8lf7PEl5oUkox7Qz842+FoGRHBwSww6JvmI96xNSnOY vJh424fpN2U1aovnqp3UzzY53s9ElJKUAZUuJXk1X+FZJ+AWW+f0T5R5pOOHHW/y nWOohfCllp1kfuxhgCYLf69MFaf4/KmllS7KL7u0tL2v+oNWRyTdpDtUkYZV43Jh r2lxQkJwK4G7+MR89ydWYbiC3CS3BmIPzC0pfefCb5w/e+9EhTdMaNE3jlhSaMSd hWoNb5SKu4zEZDAns5mAF+BoOBlcUxDO2VJ9x3VVIn3Jx6BjvFVTbTyhzxifR0qh Y6g0gNTZsEPBxiY253X6k3ALsl/tAB2CHLNyOT0XgpCur63IL5kkY2YebEi/NVm5 JCahMAODZ18/gkJQBE3CiGhViRFHdnYDWGcXRL0UlzpnEz/HiZPwMCc8xzEncOIo gyONAKZEY7iC3yk2/l0= Extension name: ydzi0gesg ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3BB08C8D6F152AEE

http://decryptor.top/3BB08C8D6F152AEE

Extracted

Family

sodinokibi

Botnet

34

Campaign

295

C2

brunoimmobilier.com

rubyaudiology.com

teutoradio.de

bluelakevision.com

michal-s.co.il

nourella.com

coachpreneuracademy.com

egpu.fr

jakubrybak.com

activeterroristwarningcompany.com

rechtenplicht.be

airserviceunlimited.com

watchsale.biz

newonestop.com

cyberpromote.de

angeleyezstripclub.com

druktemakersheerenveen.nl

citiscapes-art.com

satoblog.org

hostingbangladesh.net
Attributes
  • net

    true

  • pid

    34

  • prc

    thunderbird

    msaccess

    sqlagent

    onenote

    oracle

    ocomm

    msftesql

    sqbcoreservice

    agntsvc

    tbirdconfig

    isqlplussvc

    infopath

    mspub

    dbeng50

    winword

    mydesktopqos

    firefoxconfig

    xfssvccon

    sqlbrowser

    ocssd

    sqlservr

    steam

    mysqld

    ocautoupds

    synctime

    visio

    excel

    mydesktopservice

    sqlwriter

    mysqld_nt

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    295

  • svc

    vss

    mepocs

    svc$

    veeam

    memtas

    backup

    sql

    sophos

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 30 IoCs
  • Program crash 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5f7964dc07bb3465fbc3a995fcadd623197716480f6b86518a5dfdafc9f3af7.exe
    "C:\Users\Admin\AppData\Local\Temp\d5f7964dc07bb3465fbc3a995fcadd623197716480f6b86518a5dfdafc9f3af7.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 576
      2⤵
      • Program crash
      PID:4100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 584
      2⤵
      • Program crash
      PID:664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 852
      2⤵
      • Program crash
      PID:460
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1452
      2⤵
      • Program crash
      PID:4240
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1248
      2⤵
      • Program crash
      PID:3192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1352
      2⤵
      • Program crash
      PID:3392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1432
      2⤵
      • Program crash
      PID:1644
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1404
      2⤵
      • Program crash
      PID:3484
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1348
      2⤵
      • Program crash
      PID:992
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1380
      2⤵
      • Program crash
      PID:5100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1392
      2⤵
      • Program crash
      PID:4036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1332
      2⤵
      • Program crash
      PID:3708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1112
      2⤵
      • Program crash
      PID:2136
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 876
      2⤵
      • Program crash
      PID:2632
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 692
      2⤵
      • Program crash
      PID:2052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1000
      2⤵
      • Program crash
      PID:4088
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1488
      2⤵
      • Program crash
      PID:3752
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2396 -ip 2396
    1⤵
      PID:2708
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4020
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2396 -ip 2396
      1⤵
        PID:2028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2396 -ip 2396
        1⤵
          PID:4252
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2396 -ip 2396
          1⤵
            PID:1536
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2396 -ip 2396
            1⤵
              PID:4212
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2396 -ip 2396
              1⤵
                PID:4772
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2396 -ip 2396
                1⤵
                  PID:4256
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2396 -ip 2396
                  1⤵
                    PID:4932
                  • C:\Windows\system32\wbem\unsecapp.exe
                    C:\Windows\system32\wbem\unsecapp.exe -Embedding
                    1⤵
                      PID:3596
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2396 -ip 2396
                      1⤵
                        PID:1044
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2396 -ip 2396
                        1⤵
                          PID:4368
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2396 -ip 2396
                          1⤵
                            PID:1916
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2396 -ip 2396
                            1⤵
                              PID:3500
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2396 -ip 2396
                              1⤵
                                PID:3352
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2396 -ip 2396
                                1⤵
                                  PID:2696
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2396 -ip 2396
                                  1⤵
                                    PID:4028
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2396 -ip 2396
                                    1⤵
                                      PID:2788
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2396 -ip 2396
                                      1⤵
                                        PID:2408

                                      Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • memory/2396-130-0x0000000000400000-0x000000000047A000-memory.dmp

                                        Filesize

                                        488KB

                                        Download

                                      • memory/2396-131-0x0000000000840000-0x0000000000862000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/2396-132-0x0000000000840000-0x0000000000862000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/2396-133-0x00000000008B0000-0x00000000008DA000-memory.dmp

                                        Filesize

                                        168KB

                                        Download

                                      • memory/2396-134-0x0000000000400000-0x000000000047A000-memory.dmp

                                        Filesize

                                        488KB

                                        Download

                                      • memory/2396-138-0x0000000000400000-0x000000000047A000-memory.dmp

                                        Filesize

                                        488KB

                                        Download

                                      • memory/2396-140-0x0000000000400000-0x000000000047A000-memory.dmp

                                        Filesize

                                        488KB

                                        Download

                                      • memory/4328-135-0x0000000000000000-mapping.dmp

                                        Download

                                      • memory/4328-136-0x0000028CEA810000-0x0000028CEA832000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/4328-137-0x00007FFCA8660000-0x00007FFCA9121000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download

                                      • memory/4328-139-0x00007FFCA8660000-0x00007FFCA9121000-memory.dmp

                                        Filesize

                                        10.8MB

                                        Download