Overview

overview

10

Static

static

10

ae51159dc4...1e.exe

windows7-x64

1

ae51159dc4...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae51159dc4bf82756e1a1d174c79569f3a0dfb7e6ac4ae85f70ba471a1cd101e.exe

  • Size

    164KB

  • MD5

    d80cdb5a52e2f47dbd3ef4c8f43bcc13

  • SHA1

    69a95fe11c575f0ec77958e0becd197c26df1e3c

  • SHA256

    ae51159dc4bf82756e1a1d174c79569f3a0dfb7e6ac4ae85f70ba471a1cd101e

  • SHA512

    f013a1d23bd31c54f2040c5061b372ccd55bad689b1bb820c00d3796aee1dfffd67b5cc5d0358d2b744a33818d5f3aae523de0452aa65faad281ab1b9ac64c21

  • SSDEEP

    3072:ffYWjswg4fQlt4ndm8jX5IXzs+M9VQHDO/Qkh1c/5n:ffYWAw9fcUdmwIXo+M9VQHDi/q5

Score
10/10
sodinokibiransomware

Malware Config

Extracted

Path

C:\x5147b-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion x5147b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC3797928C2C1E0B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/AC3797928C2C1E0B c) If you are having difficulty purchase bitcoins, or you doubt in buying decryptor, contact to any data recovery company in your country, they will give you more guarantees and take purchase and decryption procedure on themselves. Almost all such companies heared about us and know that our decryption program work, so they can help you. Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: rNksZLIyyYNt/ymwwpgoemIu2reLTyt6kRb3OG7LudO8f62R+477/4oVVd/nLJi6 UtlBPVFH/Ac6wttKw1Xb3tgMq68xR0ysx/oUO79Zm2g6tK9NYzwodNeyc+sNaip1 2by0Khi+MqMpqIusBKF8dIGacFksG5ovvknBBFJQ7+xiZxZGlo7Ppm6KnlYmEgVE 3YWlmGOA1sls5KWEkVoVkMyhBFJ8QZ5SXmCKw7Z8TV+y3yB/eiEQpNRQ0ALC6wl6 DB6E/B/15S7PHWyKOwy2gvG6C+N62cjvdl/oKd0oZelm9RT2iJVbLlDhLMTU1vr4 mAD97U1rzPvZBSzt7+fC9wxPsDa1duVFVPIUvM/vz0kJrRhF7d6v35quEFD9TWgg swLL8f3s/0AtJulOeCe/QsY/Nr4aR1mHVs3FqPApie/INrVcumF7wMCFVITogw7M 4sDdgcR3jVb0dR7jdYYeGEIWUaT/lYyl0VZAJOBVfh9/tKLAagQc9jHlcZ2HJUMX qB+osm1dTMR75LzrAekptGDsz1ioScAZuA8ZxJ8tRAAQ5eMSkXjmkGj8EECHVJkY 6w2qVLoqBLujXedRN4TcPSSa9ecyzUXqNPISkpmPpfAvrUg2jzvzCjyWDP92wi9v lptPajfpX2l2Rcl2tni+1tUjwZ6GUHI2rGT2FZoqsj6O+Fq7aReSACBOwc4TLU5X L4Jx+LflPqpga75X/nwBZmRlnMUbYYTzeIRho4ZSGyzE2W1M+OrGqxXYlIwOgO4L 18qYheGrt+2iHanQZy36KL6wcBr65g77xBmV5UT+Lrfd24Zr6iNd55z92IMEiCoT TkubZJ93aM7yLvUqh4L8PbZR7arPhcg+ZMubiTCheaiFpbYZBC2Dn6uNDTXdlorn 6LF//xTGlpTujHZt+tDzedh2QxfggHi8yjUrCiZ/1QnlTJkUzyFWgWYTOMUymKoa sDkwr2s7mExzwiXJLnJpyGomjTNbKGCSiHjtab7yGj2nFgFfCFLAtpYoPVz1UxVs LyKLgc9mYsnkd24+xm7C4MR5VRMwu+YoQxPWYLUBPmoA79PCFG2C08+cDx3zmBjE ge/kahTLnQ3KX+mOQm/FuGhJorL1T+bpWBryWVXyWjAqCglUXrvSLbLb9i7QpbYi plCmAH+2/gA= Extension name: x5147b ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! =========================================== --- === 환영합니다. 다시. === --- [+] 일이 어떻게됩니까? [+] 파일이 암호화되어 현재 사용할 수 없습니다. 그것을 확인할 수 있습니다. 우리의 지시를 따르는 것이 가능합니다. 그렇지 않으면 데이터를 반환 할 수 없습니다 (절대로). [+] 보장은 무엇입니까? [+] 그것의 다만 사업. 혜택을 얻고 있습니다. 당신이 우리의 장인이 아닌 경우 우리의 관심사가 아닙니다. 파일을 반환하는 기능을 확인하려면 당사 웹 사이트로 이동해야합니다. 거기에서 무료로 하나의 파일을 해독 할 수 있습니다. 그것은 우리의 보증입니다. 그건 중요하지 않아. 그러나 당신은 개인 키를 잃어 버릴 것입니다. 실제로 - 시간은 돈보다 훨씬 가치가 있습니다. [+] 웹 사이트에 액세스하는 방법? [+] 두 가지 방법이 있습니다. 1) [추천] TOR 브라우저 사용! a)이 사이트에서 TOR 브라우저를 다운로드하여 설치하십시오 : https://torproject.org/ b) 웹 사이트를 엽니 다. http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC3797928C2C1E0B 2) 귀하의 국가에서 TOR이 차단 된 경우 VPN을 사용해보십시오! 하지만 보조 웹 사이트를 사용할 수 있습니다. 이것을 위해 : a) 모든 브라우저 열기 (Chrome, Firefox, Opera, IE, Edge) b) 보조 웹 사이트를 엽니 다. http://decryptor.top/AC3797928C2C1E0B 경고 : 보조 웹 사이트를 차단할 수 있습니다. 저희 웹 사이트를 열 때, 키 : c) 비트 코인 구매에 어려움이 있거나 암호 해독기 구입이 의심되는 경우 해당 국가의 모든 데이터 복구 회사에 문의하면 더 많은 보증을 제공하고 자체적으로 구매 및 암호 해독 절차를 수행합니다. 거의 모든 회사가 우리에 대해 듣고 우리의 암호 해독 프로그램이 작동한다는 것을 알고 있으므로 도움을 줄 수 있습니다. rNksZLIyyYNt/ymwwpgoemIu2reLTyt6kRb3OG7LudO8f62R+477/4oVVd/nLJi6 UtlBPVFH/Ac6wttKw1Xb3tgMq68xR0ysx/oUO79Zm2g6tK9NYzwodNeyc+sNaip1 2by0Khi+MqMpqIusBKF8dIGacFksG5ovvknBBFJQ7+xiZxZGlo7Ppm6KnlYmEgVE 3YWlmGOA1sls5KWEkVoVkMyhBFJ8QZ5SXmCKw7Z8TV+y3yB/eiEQpNRQ0ALC6wl6 DB6E/B/15S7PHWyKOwy2gvG6C+N62cjvdl/oKd0oZelm9RT2iJVbLlDhLMTU1vr4 mAD97U1rzPvZBSzt7+fC9wxPsDa1duVFVPIUvM/vz0kJrRhF7d6v35quEFD9TWgg swLL8f3s/0AtJulOeCe/QsY/Nr4aR1mHVs3FqPApie/INrVcumF7wMCFVITogw7M 4sDdgcR3jVb0dR7jdYYeGEIWUaT/lYyl0VZAJOBVfh9/tKLAagQc9jHlcZ2HJUMX qB+osm1dTMR75LzrAekptGDsz1ioScAZuA8ZxJ8tRAAQ5eMSkXjmkGj8EECHVJkY 6w2qVLoqBLujXedRN4TcPSSa9ecyzUXqNPISkpmPpfAvrUg2jzvzCjyWDP92wi9v lptPajfpX2l2Rcl2tni+1tUjwZ6GUHI2rGT2FZoqsj6O+Fq7aReSACBOwc4TLU5X L4Jx+LflPqpga75X/nwBZmRlnMUbYYTzeIRho4ZSGyzE2W1M+OrGqxXYlIwOgO4L 18qYheGrt+2iHanQZy36KL6wcBr65g77xBmV5UT+Lrfd24Zr6iNd55z92IMEiCoT TkubZJ93aM7yLvUqh4L8PbZR7arPhcg+ZMubiTCheaiFpbYZBC2Dn6uNDTXdlorn 6LF//xTGlpTujHZt+tDzedh2QxfggHi8yjUrCiZ/1QnlTJkUzyFWgWYTOMUymKoa sDkwr2s7mExzwiXJLnJpyGomjTNbKGCSiHjtab7yGj2nFgFfCFLAtpYoPVz1UxVs LyKLgc9mYsnkd24+xm7C4MR5VRMwu+YoQxPWYLUBPmoA79PCFG2C08+cDx3zmBjE ge/kahTLnQ3KX+mOQm/FuGhJorL1T+bpWBryWVXyWjAqCglUXrvSLbLb9i7QpbYi plCmAH+2/gA= 확장자 이름 : x5147b -------------------------------------------------- --------------------------------------- !!! 위험 !!! 자신의 개인적인 삶을 구성해야합니까? 데이터 또는 바이러스 백신 솔루션을 변경하려고하지 마십시오. !!! !!! !!! 한 번 더 : 파일을 다시 받으십시오. 우리 편에서, 우리는 간섭해서는 안됩니다. !!! !!! !!! =========================================== --- === 歡迎。再次。 === --- [+] 發生了什麼事? [+] 您的文件已加密,目前無法使用。您可以檢查它:您計算機上的所有文件都有擴展名 x5147b。 順便說一句,一切都可以恢復(恢復),但你需要按照我們的指示。否則,您無法返回數據(從不)。 [+] 有什麼保證? [+] 它只是一個企業。除了獲得福利外,我們絕對不關心您和您的交易。如果我們不做我們的工作和責任 - 沒有人不會與我們合作。這不符合我們的利益。 要檢查返回文件的能力,您應該訪問我們的網站。在那裡你可以免費解密一個文件。這是我們的保證。 如果您不配合我們的服務 - 對我們而言,無所謂。但是你會丟失你的時間和數據,因為我們只有私鑰。在實踐中 - 時間比金錢更有價值。 [+] 如何訪問網站? [+] 你有兩種方式: 1)[推薦]使用TOR瀏覽器! a)從該站點下載並安裝TOR瀏覽器:https://torproject.org/ b)打開我們的網站:http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC3797928C2C1E0B 2)如果您所在國家/地區的TOR被阻止,請嘗試使用VPN!但您可以使用我們的二級網站。為了這: a)打開任何瀏覽器(Chrome,Firefox,Opera,IE,Edge) b)打開我們的二級網站:http://decryptor.top/AC3797928C2C1E0B 警告:可以阻止輔助網站,這就是為什麼第一個變體更好,更可用。 當您打開我們的網站時,請在輸入表單中輸入以下數據: 鍵: c) 如果您在購買比特幣時遇到困難,或者您不確定要購買解密器,請與您所在國家的任何數據恢復公司聯繫,他們將為您提供更多保證,並自行進行購買和解密程序。 幾乎所有此類公司都聽說過我們,並且知道我們的解密程序有效,因此它們可以為您提供幫助。 rNksZLIyyYNt/ymwwpgoemIu2reLTyt6kRb3OG7LudO8f62R+477/4oVVd/nLJi6 UtlBPVFH/Ac6wttKw1Xb3tgMq68xR0ysx/oUO79Zm2g6tK9NYzwodNeyc+sNaip1 2by0Khi+MqMpqIusBKF8dIGacFksG5ovvknBBFJQ7+xiZxZGlo7Ppm6KnlYmEgVE 3YWlmGOA1sls5KWEkVoVkMyhBFJ8QZ5SXmCKw7Z8TV+y3yB/eiEQpNRQ0ALC6wl6 DB6E/B/15S7PHWyKOwy2gvG6C+N62cjvdl/oKd0oZelm9RT2iJVbLlDhLMTU1vr4 mAD97U1rzPvZBSzt7+fC9wxPsDa1duVFVPIUvM/vz0kJrRhF7d6v35quEFD9TWgg swLL8f3s/0AtJulOeCe/QsY/Nr4aR1mHVs3FqPApie/INrVcumF7wMCFVITogw7M 4sDdgcR3jVb0dR7jdYYeGEIWUaT/lYyl0VZAJOBVfh9/tKLAagQc9jHlcZ2HJUMX qB+osm1dTMR75LzrAekptGDsz1ioScAZuA8ZxJ8tRAAQ5eMSkXjmkGj8EECHVJkY 6w2qVLoqBLujXedRN4TcPSSa9ecyzUXqNPISkpmPpfAvrUg2jzvzCjyWDP92wi9v lptPajfpX2l2Rcl2tni+1tUjwZ6GUHI2rGT2FZoqsj6O+Fq7aReSACBOwc4TLU5X L4Jx+LflPqpga75X/nwBZmRlnMUbYYTzeIRho4ZSGyzE2W1M+OrGqxXYlIwOgO4L 18qYheGrt+2iHanQZy36KL6wcBr65g77xBmV5UT+Lrfd24Zr6iNd55z92IMEiCoT TkubZJ93aM7yLvUqh4L8PbZR7arPhcg+ZMubiTCheaiFpbYZBC2Dn6uNDTXdlorn 6LF//xTGlpTujHZt+tDzedh2QxfggHi8yjUrCiZ/1QnlTJkUzyFWgWYTOMUymKoa sDkwr2s7mExzwiXJLnJpyGomjTNbKGCSiHjtab7yGj2nFgFfCFLAtpYoPVz1UxVs LyKLgc9mYsnkd24+xm7C4MR5VRMwu+YoQxPWYLUBPmoA79PCFG2C08+cDx3zmBjE ge/kahTLnQ3KX+mOQm/FuGhJorL1T+bpWBryWVXyWjAqCglUXrvSLbLb9i7QpbYi plCmAH+2/gA= 分機名稱: x5147b -------------------------------------------------- --------------------------------------- !危險 !!! 不要試圖自己更改文件,不要使用任何第三方軟件來恢復您的數據或防病毒解決方案 - 它可能需要篡改私鑰,因此,丟失所有數據。 ! ! ! 還有一次:為了您的利益而將文件歸還。在我們這邊,我們(最好的專家)為恢復做了一切,但請不要干涉。 ! ! !
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC3797928C2C1E0B

http://decryptor.top/AC3797928C2C1E0B

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae51159dc4bf82756e1a1d174c79569f3a0dfb7e6ac4ae85f70ba471a1cd101e.exe
    "C:\Users\Admin\AppData\Local\Temp\ae51159dc4bf82756e1a1d174c79569f3a0dfb7e6ac4ae85f70ba471a1cd101e.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4252
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3008
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4256

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4252-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4252-133-0x0000022C2B890000-0x0000022C2B8B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4252-134-0x00007FFD835D0000-0x00007FFD84091000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4252-135-0x00007FFD835D0000-0x00007FFD84091000-memory.dmp

      Filesize

      10.8MB

      Download