Overview

overview

10

Static

static

10

5168a54f2a...85.exe

windows7-x64

1

5168a54f2a...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2023 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5168a54f2a95db57fee8d606918b80792d84e0990936a86b4f0030ec47624e85.exe

  • Size

    391KB

  • MD5

    6c68d36f1992d3fdf656df111c93790a

  • SHA1

    c2a0733beaf1e38cf38a0a832f917587be271e1b

  • SHA256

    5168a54f2a95db57fee8d606918b80792d84e0990936a86b4f0030ec47624e85

  • SHA512

    0361803bae998eac72191cff678e68f0746013e80dd94198fceb774037df5961b3409bb08cd41bdffb9884a87697127a8a15caab0dcf24523119546f8273cf8f

  • SSDEEP

    12288:9Y0NvuU8qt3H12h1VSju2U1jEpnL6dmouQ7pKnPzOHh2hF0:9fNvGqt3VA1VSju2U1jEVL6dmouQ7pKU

Score
10/10
sodinokibiransomwarespywarestealer

Malware Config

Extracted

Path

C:\Recovery\ffbg047b-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ffbg047b. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC4DC1B8D54430DC 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/AC4DC1B8D54430DC Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: oMYixApareT/ezidYrDlN2MKkj4G5pjd4e7dl5aUjOf29j+wAiE/w5l5epeMQ0y1 ZyXs2I56czCGBacuYI5HSloeoSYUrCLC6Y+XyoGH7A8lOjyRvk/Wgf+QV9o1+ywK NlP2asPrsM74+AlagdHdunJVzeK2Vv9qcrq1Qax7FaYFGPlOjiUBg9D/APmL96f9 QjkjEUsX9h8BDxHcOQx5zggsX8yhPfeejotgd39Tqdu7sz/fnXeHHR6DqyAi5Zrn O4NzYQ6h1LeCOdHraEqfvJ1vhVKoo8O69wYSpHpgqBpAK1t/KZR1DYmMxjPrNcoE OOCIdj/A4M88ncA+MvYSCHVCoFhmppAxJ9Ink7DscfPO0wOH2c4Ge0uJDTbBUj5a H5P1j8IHWLaZwI3GrkpOndmq31ibgqClg4P5zcMqJu3IJ36+43QuDptheMX5Pl1a KM3F03xdUxDSzcc6EzsMa8NhnHSVe2a6zLn2FpSN0HefXfCUHHD7Z957YtSh8QtL iyUrrRcTDiP4tDY5T1BXHLC6FtLh2S05esIacyS9/qppQOPh71YCMOH9vx7e4MdQ PmMKdX3ZgxjLS6iGo9ucD1TGjXsBpguhYywTTaKB3EPzslbxB0SKHzTSCBMKY3Yf ZfVQGDZIrxgi3nfz0hh8O2wsxx7/igMtsd3aOzWYMnTtHa1TGSsHk0BQTFkjuyAY KtXg3tYgNsOaev878IVtWqiBG4Ry47FzJPjJ0NcEbwsNBGGg7D09Atp9TboBLIwg bbBljx6er4PXTAh3eQfd15lI3ARdB9h2Trt/uyo+sBIB1gPKyilp9HNjFXcuZ3a2 RnkEcrYhxac4zUxUYgrkYTwIXo4Fs9ddBjuxIikrBsQ05MAJLqPYm9+Ubab+O5Mf sDKEaVJjEoaTRevda6oelr6Qzm8VrfrWN8zZZnDgTIHQAb1jGJqVvZE8oqo0L10G ITvv8L3aMCZvpZvD4++Mf415kqgnnXigs8xIKwCtSLAHKe9w3pBoQB+wJ4QqiPOJ mKg/1CbFL328O8MlXsCLNL0rwCm/epnaI2wVOYJQXkSP0O/ivWqHoHFegwcOuJXt sC6EV7qdUVF+RGEZI0RgaipA/ZQ4fN3g8TFU+FfLhUxf00tJDjaer2oPhvkvfPK4 A113Tio8GWCx+A== Extension name: ffbg047b ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AC4DC1B8D54430DC

http://decryptor.top/AC4DC1B8D54430DC

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5168a54f2a95db57fee8d606918b80792d84e0990936a86b4f0030ec47624e85.exe
    "C:\Users\Admin\AppData\Local\Temp\5168a54f2a95db57fee8d606918b80792d84e0990936a86b4f0030ec47624e85.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
        PID:3032
    • C:\Windows\system32\wbem\unsecapp.exe
      C:\Windows\system32\wbem\unsecapp.exe -Embedding
      1⤵
        PID:1964

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\ffbg047b-readme.txt
        Filesize

        6KB

        MD5

        ee6ecc72180a8022ca5a01177bbcd315

        SHA1

        8adec4be6fbe2a6b3eec327001fcb62517dc07aa

        SHA256

        753f957a5195ec4048cb86314308d7a0e3b6cb41a4b3b4b99a8dbdf432db5ac2

        SHA512

        ea5d6b7d62c743fad3773013b5bc05c719a7a805d3074e6247da589c9c2ccd08ccb3e4cb1a233efdc494151511cd4fbc802f39e6aa9016a8b2ab5f80f4333a09

        Download Submit