Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2023 03:51

General

  • Target

    2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe

  • Size

    165KB

  • MD5

    e4be3e7aa3e471f7c42ec7ba35c3d69f

  • SHA1

    5640beca5831e8a49031cd335a31415bfc8f3282

  • SHA256

    50fdb342de90ce63c31625156beb9ed968bf11527ce7c4c3bd4a3f3f7c4cf730

  • SHA512

    11b7e7659b083d1a7a060c7512651089fab63960e96083a60123c44cdd957a022c7d0af8c7b1bb7db364c44d30333ec2e121a9f4a85659f61143c8f36504fc26

  • SSDEEP

    3072:eCEq0R0nZ5ys5n4Y9doh7O79siUs/NaV4mKI3EeUO:lw02sJPi7O93NK4mKI0VO

Score
10/10

Malware Config

Extracted

Path

C:\Recovery\ncyx0rm-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your computer has extension ncyx0rm. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4DAD1982572985D 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/B4DAD1982572985D Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 3GLYUgxH1M7/6ksVlJuMQIFn6vINI0SUT92KI7fHyOQSclTnL7uUR3ug4EvGd5VX hNAjozYOqwn+Ntz3rQrLt4hqWQO8zH//iw605cKQkn87Kz3IvjyB+wchzwxXiR+f ArYZa/IbmixKYGWmNmCxZaF/zGM8Wz8814z3nNHnRLqv8WYhzFALatZXP6SM1Rbc T3QCwSjwgWwLTTnoO9n/RdLQFed7bzNbD8LIfnqWiB5vEbcF6+pCPWzjxKHT4yna Ld9FmYRNeG0/e1VYzfWq1c+zN4JSjGc993JcjXXyU7kV7126nUdk5Cz8ZSlW9yaw M3nlDiGgQOW86A2hE6ztX+il7OiByMgp5H59VAvTPW6vZyvHMoDQ/5h3GujFUyDo iuMU4AYZElF8f+0DtxpNyhY557iyprWlOkWykQ3SZYdDar5Rja/yOfNYhMWCk70A N9bRiKhDy4dcKU9UPN+daCssVK4OBbfYKnE53xfrP9VQHsA7UgD/CnyNYp4NPE21 dHUtJItc7BFGUPfsYJrz9lnPW4zvKQSXzIQXhyJ50mFvmPL8ulbQOmtdEoICVJFs RgZgRkVxB27Q0QIbGxy29Z1LhBLb6S6p4NUJ9cjGRIwC+6BtXK3kAoStvkq0R+vf vNIKSXD6naEC47sJiKkBg9Vie9ElF6e6RUGmoqbX/tpJm5jP+xhkEkxLFyB4a5tU pDhM/sKp0JCMxHJxPkgOsPN0uMRRh5wsdmXLftVNlVMVPLlipmq1nYNc51+suY23 4c4cM5H0ufiW23mllkMiN26DsCpmzIbi3nSZnW0Lw50OPjyME6+/oH1KZLxI25VG xpndphioia+/CfaYXLCTd3Gl3L8pe4Wgn/afQxAnOUhLYEc8l8Et48xMcUJPW3S/ +QOwhcid6jlU3VqeHlQzLehGpIttzHx4IjtcUgu5wWeohY5SJc8kp3Y22ond8Tid x4E10bXJVIlO/I+gPxp33cgl+guIlruOLISxw3CRVm1esRicpg0fCnwvPvWcUzUo GTN5VU7p+y/FfBxmj0bnTuqfK804/5TZyusF/s149/UtBfxxpw3b9X+i7jmbgWc+ 3Mrv/d+NZEmF9AcUGRqUvT7m8F/JVkKJ7x8OFPo3TBA2w5K7gU5eE7HcYnj9KFk6 PPgEr3aZeh0496km Extension name: ncyx0rm ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B4DAD1982572985D

http://decryptor.top/B4DAD1982572985D

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-04-20_e4be3e7aa3e471f7c42ec7ba35c3d69f_revil.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:2388
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\ncyx0rm-readme.txt

      Filesize

      6KB

      MD5

      14efa44ca00c3a22b7078bbee3c5ca44

      SHA1

      932219d37f4d4dcee1c163a9d2ff5c384cf80458

      SHA256

      cffe674b2be6d99edb656595127e4dbd962c39e5f85aba9e7909d592d8daa680

      SHA512

      5ba206202ec69f1cbae227f587b2cdab8880c6d109e9e7192a615229f241579f491820b64e1923fdc0b43ea320957f07d01ebef4fd10c742a11e0aa54a33f15b

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_huoihjem.hmx.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/2836-142-0x000002054A090000-0x000002054A0B2000-memory.dmp

      Filesize

      136KB

    • memory/2836-143-0x000002054A140000-0x000002054A150000-memory.dmp

      Filesize

      64KB

    • memory/2836-144-0x000002054A140000-0x000002054A150000-memory.dmp

      Filesize

      64KB

    • memory/2836-145-0x000002054A140000-0x000002054A150000-memory.dmp

      Filesize

      64KB

    • memory/2836-148-0x000002054ACD0000-0x000002054AEEC000-memory.dmp

      Filesize

      2.1MB