Analysis
-
max time kernel
1704s -
max time network
1719s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
13-09-2022 17:54
General
-
Target
RansomwareSamples/REvil_08_04_2021_121KB.exe
-
Size
120KB
-
MD5
2075566e7855679d66705741dabe82b4
-
SHA1
136443e2746558b403ae6fc9d9b40bfa92b23420
-
SHA256
12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39
-
SHA512
312dcb3d83a5201ef16c5027aabd8d7baebfd9761bf9514cafecc8a6936970b897b18b993e056d0f7aec81e6f0ab5756aa5efd3165e43f64692d5dbdb7423129
-
SSDEEP
1536:bjxXC9jVwbhEW8z3w1R+KjJLRiOQJo0SoLCdpuOk2ICS4Ang6lUgvfYiFyRFywX/:mmV1wKdLoLC/OemUWYjfywpbPa
Score
10/10
Malware Config
Extracted
Path
C:\077f8fey81-readme.txt
Family
sodinokibi
Ransom Note
---=== Welcome. Again. ===---
[+] Whats Happen? [+]
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 077f8fey81.
By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).
[+] Attention!!! [+]
Also your private data was downloaded.
We will publish it in case you will not get in touch with us asap.
[+] What guarantees? [+]
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.
To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.
If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.
[+] How to get access on website? [+]
You have two ways:
1) [Recommended] Using a TOR browser!
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73D59F437BA22B7D
2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:
a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)
b) Open our secondary website: http://decoder.re/73D59F437BA22B7D
Warning: secondary website can be blocked, thats why first variant much better and more available.
When you open our website, put the following data in the input form:
Key:
kkSyxH51dFoILCh5Xs8KbS1K3fYq9SwN3LezUCH6EMTXd+DS5UeQ7OkguOj7D5Qc
tvsX2Gvf5kA2SrTi544murj5+4jsqRE//iI+DrL9yueu7KNffN+U+iYo1Mv9efl+
oVnEL7n93Lh/y2cnHlb2xNWmvmfmAXKJq5qRvXE1ss1CQEfNZVLqJxie3yH3FVrm
wl9+h/acp4WK/gXAVqXYeyf5mKgAQ6q25qnptRJCl702haUni9X5LwtafT5Mqvjs
MCOp42ETHdJ3CB+1hbQ3tEtSHBEltUdi4iyisJUOJkreSGevLzWd/aCtXvN+xBlG
lE0xks9X2+7AtFFf1Kl3aVBZVDmuzHyhPRWxVEX88JTMzMixT0Dmk6kHLGJPpu/c
I357dOoVKBtQnl5w5x6aj+2aehHJ8kTcgl8Lmig4WeoDaJy19qH7mohvgGYj31NG
XkIai9lpEYIu743VfSvo63Dha9W6tXDtAKptROGfhLWnqTiz/XrcfwcZuORaoN4/
q5Us4dyV16dMSepe3BU6f59qIrPicTyd3fOqgH5Om//T9NMyE958qzNmh/1AaG7h
RjWDDRBLZrhv6vdOMs0p3MwNQJiZsWhzCXhkFQMS3JRHLqUXLkUCJH5RQu4CbjPy
MfRQVhEwD0ovKCvMSP88pLbzJAtJD9lpA89ZscTR5EZRmYvcPr1Q/IkdAVe0rHmx
hQRVJI1JJV9LLcO8bG5iGgKsWyClPQcHeuT91l10LPn3WFcC3rmoU5yHwhHd3whv
D1H8zhSsQAdTv5sEnEeonWFePc2+g8d8QNCc4FqfY+6QPgg30voS9LsQJTTjBlW3
MHWUXWK/8BnWLXYCnOLPq/ikmm3vFhxeZmTWS1+NwS9B0VIa2xAHM3LrlU37oCUL
58xEg1enf8fS1ZhsPGTJIRj8V5b6CEXFS+L8oy7D7hkEh0Y7BZpNxRAR7D+Zp9OW
1VU45kESmHhVs//iZTL+kJ2JU7tB1r/oU/ElNUvkAIya1eod9YKthVXOKFWnI+Vl
c3Jct1eATbGcwuOvlORCwbKmz5k3lsAd4DA/gujSZNUlLW0ezQfekVzPZ8HIqedz
yYtCYwJsAdc/0JiSMwSvlJORP5WA7o+vqn0Q+5EL0e4f+WOYsrJkIc9dOsfF/uLY
RX1Mf3140YvyHcNDSj6D5NBlvVPFheWL/pr43Y9TZjMKKmKdQ63x51RefdqJe5AI
ZXoLmiAnbVG/5ih2VT0pIXnIJm9xc/IkKoJ6SMS/1+YbQ7x6Fd9p7DMIHlvzpcNZ
yWC6kQI8RQFz6g3ZNmRREUb+l/C4FXCzysACcw==
-----------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
URLs
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/73D59F437BA22B7D
http://decoder.re/73D59F437BA22B7D
Signatures
-
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 38 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\REvil_08_04_2021_121KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\REvil_08_04_2021_121KB.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken