Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2023 05:34

General

  • Target

    86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b.exe

  • Size

    174KB

  • MD5

    4b4c98ac8f04680f7c529956cfe8519b

  • SHA1

    e6dccf4b1fc5ab116b6bc1321346b35dbf42f387

  • SHA256

    86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b

  • SHA512

    59aa35ec0d7ac93c2b824a9f0dfb97dce3a042c584309af32d62ef6e767cbbd780af3f977c7d0cc32416e507b7c104cb504b582e37c2a896d3cb0de56d0443c7

  • SSDEEP

    3072:DYjClDhQlDvrcnVbOZh8gjVCMDSgpFnS+bKECYt+ei/Bx+GCokRwmpwegaZzTsfn:DDOYwhdlFbfEeOBx+GGwelWfCEoKMQ

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$10$qQ5kF6JmNztrQdZQ4EZ/reZ9TdKVES4AMEX9dQ.5V6UwJq4WsyZky

Campaign

3537

Decoy

parkcf.nl

live-con-arte.de

adoptioperheet.fi

denifl-consulting.at

run4study.com

highimpactoutdoors.net

pasvenska.se

kenhnoithatgo.com

psa-sec.de

rieed.de

solhaug.tk

101gowrie.com

mylovelybluesky.com

naturavetal.hr

jameskibbie.com

oneplusresource.org

brandl-blumen.de

humancondition.com

adultgamezone.com

joyeriaorindia.com

Attributes
  • net

    true

  • pid

    $2a$10$qQ5kF6JmNztrQdZQ4EZ/reZ9TdKVES4AMEX9dQ.5V6UwJq4WsyZky

  • prc

    steam

    CagService

    outlook

    MsDtsSrvr

    vxmon

    mydesktopqos

    ssms

    bengien

    isqlplussvc

    VeeamTransportSvc

    msosync

    sqlagent

    dbsnmp

    DellSystemDetect

    Slsvc

    mspub

    sqbcoreservice

    mydesktopservice

    devent

    xfssvccon

    visio

    EnterpriseClient

    bedbh

    thunderbird

    sqlservr

    ocautoupds

    vsnapvss

    pvlsvr

    sqlwriter

    VeeamDeploymentSvc

    dbeng50

    msoidsvcm

    ocssd

    powerpnt

    fdhost

    encsvc

    thebat

    msoidsvc

    infopath

    oracle

    beserver

    VeeamNFSSvc

    wordpad

    tbirdconfig

    agntsvc

    msaccess

    firefox

    sql

    bpnetd

    raw_agent_svc

    fdlauncher

    benetns

    winword

    onenote

    excel

    ocomm

    synctime

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Hello! ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). We also download more then 1 TB of your data. You can see proof in our blog: http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/17?s=1548e2a273f97cb11d313e2e4176dfba Right now this post is unpublished. You can see it only with this link. [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3537

  • svc

    MSSQL$

    MVArmor

    sql

    MSExchange$

    svc$

    MSSQL

    VeeamNFSSvc

    BackupExecVSSProvider

    VSNAPVSS

    BackupExecAgentAccelerator

    BackupExecAgentBrowser

    AcronisAgent

    CASAD2DWebSvc

    BackupExecDiveciMediaService

    VeeamDeploymentService

    vss

    AcrSch2Svc

    veeam

    BackupExecJobEngine

    VeeamTransportSvc

    mepocs

    CAARCUpdateSvc

    memtas

    MSExchange

    backup

    MVarmor64

    stc_raw_agent

    sophos

    BackupExecRPCService

    PDVFSService

    bedbg

    WSBExchange

    ARSM

    BackupExecManagementService

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b.exe
    "C:\Users\Admin\AppData\Local\Temp\86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Users\Admin\AppData\Local\Temp\86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b.exe
      "C:\Users\Admin\AppData\Local\Temp\86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b.exe"
      2⤵
        PID:936

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsd1AE2.tmp\System.dll
      Filesize

      11KB

      MD5

      b0c77267f13b2f87c084fd86ef51ccfc

      SHA1

      f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

      SHA256

      a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

      SHA512

      f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

    • memory/936-56-0x0000000000403DF5-mapping.dmp
    • memory/936-58-0x0000000000400000-0x000000000041F000-memory.dmp
      Filesize

      124KB

    • memory/1532-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
      Filesize

      8KB