Overview

overview

10

Static

static

full.enc.exe

windows7-x64

10

full.enc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2022 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    full.enc.exe

  • Size

    121KB

  • MD5

    fa1b150ec4130c49486338149678b19f

  • SHA1

    a6795b072c6817078c122ab6aed99695602d047f

  • SHA256

    5e9730afe5cd839e717f130be156c12ae2d7dd4d91116963eefc48b04eb83663

  • SHA512

    5df6c3c69c44c4bca51f427980c424b4fbb830e087b5866f5f35ff4b91c3c39c502f46133509b94c4fd0bf8616cc1732db1259992a2f19f214751c069149a952

  • SSDEEP

    3072:6WcHSdO86ssy11HUvfFJYZzJvCuv54sfVzo5016R:6wdDHHUFOquvdVzrW

Score
10/10
sodinokibi$2b$13$smhroaoopkdhdonl/mu1f.ngqdxcrizvxx5jgju1ep6jzpd9z7w6o143ransomware

Malware Config

Extracted

Path

C:\g134d8z9-README.txt

Ransom Note
=== Welcome to LV === [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have g134d8z9 extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] ATTENTION. YOUR DATA 1000 GB IS LEAKED [+] All your important documents was downloaded. Data leaked includes: - Databases - Insurances - Finance - Employee data - Clients data - and more more more... If you do not contact us within 72 hours, the incident will appear on a public blog read by the WORLD media. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion When you visit our website, put the following data into the input form: Key: tDaLR2n6kX83JSkPzkeB+eNBdAJIbHSKwZygbGVUR4PKcmxuc6VtBmSf/oKJYB8c IWMNAHRjFaelM4jnny/0SHr7fgysc54GqwunV7v4YAYG4FuJtRl5NnJcNBDuXxoJ 0wXnISBgfW/5yuFMsZSwzFpvTk1zg94o2Lk1wx6M9tPzM72uavVb9Px9zx2TQQD4 13RHqj8zwO+X/JL9R3OqzHdK0vguWhJsmNsAs69+W+aI/mEPNe8+IKYPTz1ql69D dw1NaqCMw6aMIgnJkAuWvSECLpIFhpcyt6FxU0MnFr9qVNtAUGRoWksZRoXhxzp/ DdU049PpL61qcNdi3weH/DPaTbzyuGzydeYzIj0NSQiR+YZgoSPdr4DJ1QbZ7K0r yrQOh0GZpfp3rZAuWtEL5RKiVG3OAwGxs25o5fbqcbfyC/eTaUkqEzE9ESMKrD4x lVKJAPb2M7qkCEdZkV3IoR527fAHX0uj3zJ+A7zCDmbnzC2wws/AsvaK6vtM/2X/ eDLO2OuzU9l+5OKwKv/q+jo3IZyd+T0V+8VZP+JGk/ZUeQOyQOLw+M7rJzAGAKv7 p2vG6NTkPeAvGBk0Coett3hPlkJfU6XXrMWpN8xYMg6bZfZkr8dA+fSvU+ocZbhe X9ks47EFIHRZ/GvtaE+tWBTg4+mNVvLNZAKEKrYpcdJxERI1XTa5iQ6CKqp3465o A43i5TNtEQx+YvoKvUGmCbfxYK/LNRbE/qHvmeLvwIWdNd/6LHtktvM7ft7l6r8k /wKOePxl6V5d6RYZQ0AZ6sF1/X9+dSbt+0dFKWcI6M/GBrw4l5TS93RtUGPCaplG Ry/57mhRWByms0uOXPhPW7OLY3tQpE25eujaIQLOZuy5SGzhNlca7H9j5qcCDuQ/ zLN1KxsQLlZ32usIdbtdniA6Jweg5ezNXA/0tWzbreb1UqbeE8xHIMSbQWi2BkJ4 sOn8mHe+sNYOIGh1cjQZND8PrTz8UuRWP0g2WNiFx2T6AAnR16jRBmCtM7GSYZ2i KxaQzsYBfHf9P/UGHGFFy8F6nuVVhi+yYRFhPgFdJ+nQeuCR5S08tLhmvE8EYoyR CJ3Rvu58l7mHtwi6tEbWWJUA7HvBs1jgLfZ7PAT1y3Dwj3z/cRDH7/PI4sZOi+MA i95++YXg5W2uqthti1w7joIztav/J9PX6dIfwIBGMSQIWJ2I0QIrIpco3QUYfde5 PwsUueRFCHbqST36a5M+P4ivc+T90TDUo10+D5TRQREYztwYksp+NLxDDfdMGuB5 3tugalJyCIBP1scW1s4ixeY9sYMyUTdycZknKzS2cMI= !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!!
URLs

http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion

Extracted

Family

sodinokibi

Botnet

$2b$13$SmHroaooPkDhdonL/MU1F.NGQdxCRizVxx5jGju1EP6jZPd9Z7w6O

Campaign

143

Attributes
  • net

    false

  • pid

    $2b$13$SmHroaooPkDhdonL/MU1F.NGQdxCRizVxx5jGju1EP6jZPd9Z7w6O

  • prc

    vsnapvss

    EnterpriseClient

    firefox

    infopath

    cvd

    tv_x64.exe

    VeeamTransportSvc

    steam

    encsvc

    mydesktopservice

    outlook

    synctime

    ocssd

    SAP

    cvfwd

    bengien

    vxmon

    bedbh

    ocomm

    ocautoupds

    raw_agent_svc

    oracle

    disk+work

    powerpnt

    saposcol

    sqbcoreservice

    sapstartsrv

    beserver

    saphostexec

    dbeng50

  • ransom_oneliner

    Follow {EXT}-README.txt instructions

  • ransom_template

    === Welcome to LV === [+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have {EXT} extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] ATTENTION. YOUR DATA 1000 GB IS LEAKED [+] All your important documents was downloaded. Data leaked includes: - Databases - Insurances - Finance - Employee data - Clients data - and more more more... If you do not contact us within 72 hours, the incident will appear on a public blog read by the WORLD media. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should visit our website where you can decrypt one file for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. In practice - time is much more valuable than money. [+] How to get access to our website? [+] Use TOR browser: 1. Download and install TOR browser from this site: https://torproject.org/ 2. Visit our website: http://l55ysq5qjpin2vq23ul3gc3h62vp4wvenl7ov6fcn65vir7kc7gb5fyd.onion When you visit our website, put the following data into the input form: Key: {KEY} !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we (the best specialists in this sphere) ready to make everything for restoring but please do not interfere. !!! !!! !!!

  • sub

    143

  • svc

    QBCFMonitorService

    thebat

    dbeng50

    winword

    dbsnmp

    VeeamTransportSvc

    disk+work

    TeamViewer_Service.exe

    firefox

    QBIDPService

    steam

    onenote

    CVMountd

    cvd

    VeeamDeploymentSvc

    VeeamNFSSvc

    bedbh

    mydesktopqos

    avscc

    infopath

    cvfwd

    excel

    beserver

    powerpnt

    mspub

    synctime

    QBDBMgrN

    tv_w32.exe

    EnterpriseClient

    msaccess

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\full.enc.exe
    "C:\Users\Admin\AppData\Local\Temp\full.enc.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1888
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4924
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4816
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4708
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\g134d8z9-README.txt
        1⤵
          PID:1928
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\RequestConvertTo.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          1⤵
            PID:3992
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\PingDebug.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            1⤵
              PID:3788

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Desktop\g134d8z9-README.txt
              Filesize

              6KB

              MD5

              a97a9c0e1c569c41a0c3950689700c5e

              SHA1

              b7f07d1fef9a4ab6f5baa1f1a2374647db4b8f61

              SHA256

              5549d33e34e4a458662dd1d5dc27782fe80b22eb81736f488a423ee0d54635af

              SHA512

              24a82f8d83bd73979cb4d5ef86a4c4319caa2576dbea27360cef6d7a73d2648cfbd2d51b42eb9e8fec6721b64a6ac170b4423a8ed74cf840fc65a199da604486

              Download Submit

            • memory/1888-132-0x0000000000CD0000-0x0000000000CF1000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1888-133-0x0000000000CD0000-0x0000000000CF1000-memory.dmp

              Filesize

              132KB

              Download

            • memory/1888-135-0x0000000000CD0000-0x0000000000CF1000-memory.dmp

              Filesize

              132KB

              Download