Overview

overview

10

Static

static

enc.exe

windows7-x64

10

enc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-08-2022 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    enc.exe

  • Size

    121KB

  • MD5

    6f0b92488eae3ccefc0db7a6b0d652ee

  • SHA1

    45adc4224d2ae9fd75b19417ca6913515c5222ee

  • SHA256

    457936c28938616495836c472b3389a0870574bee6a5dc026d5bd14979c6202c

  • SHA512

    14bc82aa8f60eed63725e0da0f51321c5eeefd680887ac76d47f3b6b023b00aa8e40ae7c147e3b6e26e7592ae3db37513d518be20c69dc575fd7e48b06a656bc

Score
10/10
sodinokibi$2b$13$66xegczsmxsbw2bdlmkqtu2ousx.iyefvqviyrmfc99peuhl1zjlc10ransomware

Malware Config

Extracted

Path

C:\cnc4qe-README.txt

Ransom Note
=== Welcome to DarkSide === [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have cnc4qe extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion When you visit our website, put the following data into the input form: Key: FsH2uGTvDFyvJroSJMJQoFBeLMgZkIo7ulMTT5EyG6r4zlFzlM3vU9XV//JYTm6B +C8WDRgmhr+GW6II0NncGeu26zP3JBAPBodiTdoToVEOvOL6V3WS5CN1xv58GxoS DWGChfdIFYHwSEusoRTc9npy/GXS37LoZX43fXIYVmw0IyXjEsBj/17AfdTAEl+T rGNb6y/DNvrXJLcJU2LjULqisSG/YyoCc+GhsT2lwFeEIliPHmDlCBPsDRANx+Xi 5sUxOSy/e4kMwwTZU1vj44inF3+3tPIecnlHVO8gbC9I1xlI3yAZ8dwHMUdofZYp PtONy+wgC4Am11RSOw85ULCMI5QuUcGDdDYWg6cU199fUTXYmb6IS0/u5+b+dpi/ RcVTvkrjpboOJYZzoX6v+ugAqdFFl2x7XglfssZyI/gCrU9AkZBU/A90x8chCmSV 8vlswpFYCUFrHvVbWv/2orhdE0woYglBcBlZ5ms6nyak7N7tqoQXO3MCQxNoxrLf T6K3hBWNY608YgLp8GvKv7uDRZV62tH9FZ0XdLiikxesu9HygayzcYWe/Fg8KCGa VIMeYjYpN9LrGMpVCpQVHC3DXX+OPpAs0EphS54PG1Kv0EHtDysnWg8/5ZeVFhFu ypLHERJ2dnCVEJorvCiVqqfeSc/6XyyWjckhjLQCNL6g53Oc65Yz8Q3MnimzB3/r MQM9S4x6n1hxu6Le1dxQiZjnZjB1K0YQWYUzfP5Oe7XYCDvvatCd0ARwreP/ZFvd N3Up1kCq3vrugzGLnjYnYNzeNjBJFew9II5AHbXFQ4HLQoGdiMJg5aM1EI7bo8zo VKDEexxAhTcyJigIAqlxSqIj2niZjZgtCRKPeoDnFGjkoGlJtMEZgv2aJX3iufhw LIjtFErsgtQJpfzrAdFMWapX6U/AJnIRKU1EyoXXA9wet7UjFNa82M4Srm0JhkEP jhqi7ByOqRPEi5wp8yXnYsqKB4pbiKVPFGHCRiYim3yp4x5y/s5qlWGP2dehDdSk ZpV+Xz5zrrsT2DK2XKxltLTR9qhUFP4R9UP6X9tOPzv1M6YjNpjhHlB5NoXmDIa/ ah9lT2TW8SfotWGW6X7oDvf3kuEl6lHYw1xFeXdADm5jX3dqQUQbo7YM3MatwgFB dBQ1Hv+IAyv3ipd4pw/LBy0XoU9oOD9aV24V8ySEuitUXJgBYxwBD2u6Ku14bxiU USWa0dF/nRlpcGZ4X/HtoMvqsqAxYMN6pUFkZ1Y2Fb0hkK9J0f9HyncAmma91l2f /9KbeLg3Uh5cXkThVCfCciyFredryv6dW1g= !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!
URLs

http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion

Extracted

Family

sodinokibi

Botnet

$2b$13$66xegcZsMxsBw2BDLmkQTu2oUSx.IYeFvQVIyRMfC99PEuhL1zjlC

Campaign

10

Attributes
  • net

    false

  • pid

    $2b$13$66xegcZsMxsBw2BDLmkQTu2oUSx.IYeFvQVIyRMfC99PEuhL1zjlC

  • prc

    vsnapvss

    EnterpriseClient

    firefox

    infopath

    cvd

    tv_x64.exe

    VeeamTransportSvc

    steam

    encsvc

    mydesktopservice

    outlook

    synctime

    ocssd

    SAP

    cvfwd

    bengien

    vxmon

    bedbh

    ocomm

    ocautoupds

    raw_agent_svc

    oracle

    disk+work

    powerpnt

    saposcol

    sqbcoreservice

    sapstartsrv

    beserver

    saphostexec

    dbeng50

  • ransom_oneliner

    Follow {EXT}-README.txt instructions

  • ransom_template

    === Welcome to DarkSide === [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion When you visit our website, put the following data into the input form: Key: {KEY} !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!

  • sub

    10

  • svc

    QBCFMonitorService

    thebat

    dbeng50

    winword

    dbsnmp

    VeeamTransportSvc

    disk+work

    TeamViewer_Service.exe

    firefox

    QBIDPService

    steam

    onenote

    CVMountd

    cvd

    VeeamDeploymentSvc

    VeeamNFSSvc

    bedbh

    mydesktopqos

    avscc

    infopath

    cvfwd

    excel

    beserver

    powerpnt

    mspub

    synctime

    QBDBMgrN

    tv_w32.exe

    EnterpriseClient

    msaccess

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\enc.exe
    "C:\Users\Admin\AppData\Local\Temp\enc.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1532
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3084
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3400

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1532-130-0x0000000001300000-0x0000000001321000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1532-131-0x0000000001300000-0x0000000001321000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1532-132-0x0000000001300000-0x0000000001321000-memory.dmp

      Filesize

      132KB

      Download